CVE-2019-6111

MEDIUM EXPLOITED IN THE WILD RANSOMWARE

OpenSSH < 7.9 - Arbitrary File Write via Malicious SCP Server

Title source: llm

Exploitation Summary

CVE-2019-6111 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns. EIP tracks 4 public exploits from researchers including Mark E. Haase, Harry Sintonen, 53n7hu.

AI-analyzed exploit summary This exploit demonstrates CVE-2019-6111 and CVE-2019-6110 in OpenSSH's SCP client by sending an additional malicious file (exploit.txt) and hiding its transfer using ANSI escape sequences. It sets up a fake SCP server that exploits vulnerable clients during file downloads.

Description

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Exploits (4)

exploitdb WORKING POC

by Mark E. Haase · pythonremotemultiple

https://www.exploit-db.com/exploits/46193

View Code ZIP pw:eip

This exploit demonstrates CVE-2019-6111 and CVE-2019-6110 in OpenSSH's SCP client by sending an additional malicious file (exploit.txt) and hiding its transfer using ANSI escape sequences. It sets up a fake SCP server that exploits vulnerable clients during file downloads.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH SCP client 7.6p1

Auth required

Prerequisites: Vulnerable OpenSSH SCP client · Network access to the target · Paramiko Python library

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1133 - External Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Harry Sintonen · pythonremotemultiple

https://www.exploit-db.com/exploits/46516

View Code ZIP pw:eip

This exploit demonstrates CVE-2019-6110 and CVE-2019-6111 in OpenSSH's SCP client by creating a malicious SCP server that sends an additional file (exploit.txt) and hides the transfer using ANSI escape sequences. It leverages the SCP protocol's lack of proper validation to manipulate file transfers and terminal output.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH client 7.6p1

Auth required

Prerequisites: Paramiko library · Python 3.6.7 · Vulnerable OpenSSH client

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec NO CODE 4 stars

by 53n7hu · poc

https://github.com/53n7hu/SNP

View Code ZIP pw:eip

nomisec WRITEUP

by mbadanoiu · poc

https://github.com/mbadanoiu/MAL-008

View Code ZIP pw:eip

This repository documents CVE-2019-6111, an SSH client vulnerability in Cisco SD-WAN v20.4.2.1 that allows file overwrite via malicious SSH servers, potentially leading to RCE. It references external PoCs and requires MITM or social engineering.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Cisco SD-WAN v20.4.2.1

No auth needed

Prerequisites: SSH MITM position · Victim connection to malicious SSH server

MITRE ATT&CK