CVE-2020-15778

HIGH

OpenSSH <= 8.3p1 - OS Command Injection via scp Destination Argument

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2020-15778. PoCs published by cpandya2909, Neko-chanQwQ, yifanzhg.

AI-analyzed exploit summary This is a writeup describing CVE-2020-15778, an authenticated command injection vulnerability in OpenSSH's scp utility (versions <= 8.3p1). The vulnerability allows remote command execution via crafted filenames due to improper sanitization in the scp command construction.

Description

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

Exploits (5)

nomisec WRITEUP 144 stars

by cpandya2909 · poc

https://github.com/cpandya2909/CVE-2020-15778

View Code ZIP pw:eip

This is a writeup describing CVE-2020-15778, an authenticated command injection vulnerability in OpenSSH's scp utility (versions <= 8.3p1). The vulnerability allows remote command execution via crafted filenames due to improper sanitization in the scp command construction.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: OpenSSH scp <= 8.3p1

Auth required

Prerequisites: Valid SSH/SCP credentials · Access to a vulnerable OpenSSH scp version

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 37 stars

by Neko-chanQwQ · poc

https://github.com/Neko-chanQwQ/CVE-2020-15778-Exploit

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2020-15778, targeting OpenSSH. The exploit generates a reverse shell payload and uses SCP to transfer and execute it on the target system. The updated version includes host status checking via nmap.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH (specific version not specified)

Auth required

Prerequisites: Valid credentials for SCP access · Network access to the target · Netcat listener set up on attacker's machine

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by yifanzhg · poc

https://github.com/yifanzhg/CVE-2020-15778

View Code ZIP pw:eip

This repository provides a proof-of-concept for CVE-2020-15778, a command injection vulnerability in SCP clients. It uses Docker containers to simulate an SCP server and client, demonstrating how arbitrary commands can be injected via the SCP protocol.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SCP clients (e.g., OpenSSH SCP)

Auth required

Prerequisites: Docker installed · Network access to the target SCP server · Valid credentials for the SCP server

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 2 stars

by drackyjr · poc

https://github.com/drackyjr/CVE-2020-15778-SCP-Command-Injection-Check

View Code ZIP pw:eip

This repository contains a Bash script that checks if the installed SCP version is vulnerable to CVE-2020-15778, a command injection vulnerability in OpenSSH SCP. It also allows users to test input strings for unsafe patterns like backticks.

Classification

Scanner 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: OpenSSH SCP versions ≤ 8.3p1

No auth needed

Prerequisites: Access to a system with SCP installed

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/neko2sh1ro/cve-2020-15778-exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-15778, an OpenSSH vulnerability. The exploit uses SCP to transfer a malicious shell script to the target system and execute it, resulting in a reverse shell.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH (versions affected by CVE-2020-15778)

Auth required

Prerequisites: valid credentials for SCP access · netcat listener set up on attacker's machine

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202212-06

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:3166

Exploit, Third Party Advisory

https://github.com/cpandya2909/CVE-2020-15778/

View Exploit ZIP pw:eip

Third Party Advisory

https://news.ycombinator.com/item?id=25005567

Third Party Advisory

https://security.netapp.com/advisory/ntap-20200731-0007/

Vendor Advisory

https://www.openssh.com/security.html

Scores

CVSS v3 7.4

EPSS 0.6428

EPSS Percentile 98.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (10)

broadcom/fabric_operating_system

netapp/a700s_firmware

netapp/active_iq_unified_manager 9.5

netapp/hci_compute_node

netapp/hci_management_node

netapp/hci_storage_node

netapp/solidfire

netapp/steelstore_cloud_integrated_storage

openbsd/openssh 8.3 (2 CPE variants)

openbsd/openssh < 8.3

Published Jul 24, 2020

Tracked Since Feb 18, 2026