CVE-2019-6110

MEDIUM EXPLOITED IN THE WILD RANSOMWARE

OpenSSH < 7.9 - Terminal Output Manipulation via ANSI Control Codes

Title source: llm

Exploitation Summary

CVE-2019-6110 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns. EIP tracks 2 public exploits from researchers including Mark E. Haase.

AI-analyzed exploit summary This exploit demonstrates CVE-2019-6111 and CVE-2019-6110 in OpenSSH's SCP client by sending an additional malicious file (exploit.txt) and hiding its transfer using ANSI escape sequences. It sets up a fake SCP server that exploits vulnerable clients during file downloads.

Description

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

Exploits (2)

exploitdb WORKING POC

by Mark E. Haase · pythonremotemultiple

https://www.exploit-db.com/exploits/46193

View Code ZIP pw:eip

This exploit demonstrates CVE-2019-6111 and CVE-2019-6110 in OpenSSH's SCP client by sending an additional malicious file (exploit.txt) and hiding its transfer using ANSI escape sequences. It sets up a fake SCP server that exploits vulnerable clients during file downloads.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH SCP client 7.6p1

Auth required

Prerequisites: Vulnerable OpenSSH SCP client · Network access to the target · Paramiko Python library

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1133 - External Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

pythonremotemultiple

https://www.exploit-db.com/exploits/46516

View Code ZIP pw:eip

This exploit demonstrates CVE-2019-6110 and CVE-2019-6111 by creating a malicious SCP server that sends an additional file (exploit.txt) and hides the transfer using ANSI escape sequences. It leverages the SCP client's improper handling of file transfers and stderr output.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH client 7.6p1

Auth required

Prerequisites: Vulnerable OpenSSH client · Network access to the malicious SCP server

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1041 - Exfiltration Over C2 Channel

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (7)

Core 7

Core References

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/46193/

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/201903-16

Patch, Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Release Notes

https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c

Release Notes

https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c

Third Party Advisory

https://security.netapp.com/advisory/ntap-20190213-0001/

Third Party Advisory

https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Scores

CVSS v3 6.8

EPSS 0.2091

EPSS Percentile 97.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2020-07-19

InTheWild.io 2022-05-25

Ransomware Use Confirmed

CWE

CWE-838

Status published

Products (7)

netapp/element_software

netapp/ontap_select_deploy

netapp/storage_automation_store

openbsd/openssh < 7.9

siemens/scalance_x204rna_eec_firmware < 3.2.7

siemens/scalance_x204rna_firmware < 3.2.7

winscp/winscp < 5.13

Published Jan 31, 2019

Tracked Since Feb 18, 2026