SUSE update for openssh

1) OS Command Injection

EUVDB-ID: #VU116882

Risk: Low

CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-61984

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper validation of control characters in usernames obtained from an untrusted source (such as command line and %-sequence expansion of a configuration file). A remote attacker can trick the victim into initiating an ssh connection using a specially crafted configuration file and execute arbitrary shell commands on the system. 

This vulnerability affects ssh client command and does not affect the sshd daemon. 

Mitigation

Update the affected package openssh to the latest version.

Vulnerable software versions

SUSE Manager Server 4.3: LTS

SUSE Manager Retail Branch Server 4.3: LTS

SUSE Manager Proxy 4.3: LTS

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP5: LTSS

SUSE Linux Enterprise Server 15 SP3: LTSS

SUSE Linux Enterprise Server 15 SP4: LTSS

SUSE Linux Enterprise Micro: 5.2 - 5.5

SUSE Linux Enterprise Micro for Rancher: 5.2 - 5.4

SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP5

SUSE Linux Enterprise Server 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP3 - SP5

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.3

SUSE Manager Server: 4.3

SUSE Manager Proxy: 4.3

openSUSE Leap: 15.3

openssh-cavs: before 8.4p1-150300.3.57.1

openssh-cavs-debuginfo: before 8.4p1-150300.3.57.1

openssh-askpass-gnome-debuginfo: before 8.4p1-150300.3.57.1

openssh-askpass-gnome-debugsource: before 8.4p1-150300.3.57.1

openssh-askpass-gnome: before 8.4p1-150300.3.57.1

openssh: before 8.4p1-150300.3.57.1

openssh-common: before 8.4p1-150300.3.57.1

openssh-helpers: before 8.4p1-150300.3.57.1

openssh-clients: before 8.4p1-150300.3.57.1

openssh-server: before 8.4p1-150300.3.57.1

openssh-fips: before 8.4p1-150300.3.57.1

openssh-clients-debuginfo: before 8.4p1-150300.3.57.1

openssh-common-debuginfo: before 8.4p1-150300.3.57.1

openssh-server-debuginfo: before 8.4p1-150300.3.57.1

openssh-debuginfo: before 8.4p1-150300.3.57.1

openssh-helpers-debuginfo: before 8.4p1-150300.3.57.1

openssh-debugsource: before 8.4p1-150300.3.57.1

CPE2.3

• cpe:2.3:o:suse:suse_manager_server_4_3:LTS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server_4_3:LTS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_proxy_4_3:LTS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_espos_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_espos_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp5:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp3:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp4:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro:5.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro_for_rancher:5.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:7.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.3:*:*:*:*:*:*:*
• cpe:2.3:a:suse:openssh-cavs:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-cavs-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-askpass-gnome-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-askpass-gnome-debugsource:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-askpass-gnome:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-common:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-helpers:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-clients:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-server:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-fips:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-clients-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-common-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-server-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-helpers-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-debugsource:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20254112-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Neutralization of Null Byte or NUL Character

EUVDB-ID: #VU116883

Risk: Low

CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-61985

CWE-ID: CWE-158 - Improper Neutralization of Null Byte or NUL Character

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary OS commands on the system.

The vulnerability exists due to incorrect handling of the nullbyte character in an ssh:// URI if a ProxyCommand that uses the %r expansion was configured. A remote attacker can trick the victim into using a specially crafted ssh command to connect to a remote server and execute arbitrary OS commands on the system.

This vulnerability affects ssh client command and does not affect the sshd daemon. 

Mitigation

Update the affected package openssh to the latest version.

Vulnerable software versions

SUSE Manager Server 4.3: LTS

SUSE Manager Retail Branch Server 4.3: LTS

SUSE Manager Proxy 4.3: LTS

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4 - SP5

SUSE Linux Enterprise Server 15 SP5: LTSS

SUSE Linux Enterprise Server 15 SP3: LTSS

SUSE Linux Enterprise Server 15 SP4: LTSS

SUSE Linux Enterprise Micro: 5.2 - 5.5

SUSE Linux Enterprise Micro for Rancher: 5.2 - 5.4

SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP5

SUSE Linux Enterprise Server 15: SP3 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP3 - SP5

SUSE Enterprise Storage: 7.1

SUSE Manager Retail Branch Server: 4.3

SUSE Manager Server: 4.3

SUSE Manager Proxy: 4.3

openSUSE Leap: 15.3

openssh-cavs: before 8.4p1-150300.3.57.1

openssh-cavs-debuginfo: before 8.4p1-150300.3.57.1

openssh-askpass-gnome-debuginfo: before 8.4p1-150300.3.57.1

openssh-askpass-gnome-debugsource: before 8.4p1-150300.3.57.1

openssh-askpass-gnome: before 8.4p1-150300.3.57.1

openssh: before 8.4p1-150300.3.57.1

openssh-common: before 8.4p1-150300.3.57.1

openssh-helpers: before 8.4p1-150300.3.57.1

openssh-clients: before 8.4p1-150300.3.57.1

openssh-server: before 8.4p1-150300.3.57.1

openssh-fips: before 8.4p1-150300.3.57.1

openssh-clients-debuginfo: before 8.4p1-150300.3.57.1

openssh-common-debuginfo: before 8.4p1-150300.3.57.1

openssh-server-debuginfo: before 8.4p1-150300.3.57.1

openssh-debuginfo: before 8.4p1-150300.3.57.1

openssh-helpers-debuginfo: before 8.4p1-150300.3.57.1

openssh-debugsource: before 8.4p1-150300.3.57.1

CPE2.3

• cpe:2.3:o:suse:suse_manager_server_4_3:LTS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server_4_3:LTS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_proxy_4_3:LTS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_espos_15:SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_espos_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp5:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp3:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp4:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro:5.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro_for_rancher:5.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:7.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.3:*:*:*:*:*:*:*
• cpe:2.3:a:suse:openssh-cavs:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-cavs-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-askpass-gnome-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-askpass-gnome-debugsource:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-askpass-gnome:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-common:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-helpers:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-clients:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-server:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-fips:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-clients-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-common-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-server-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-helpers-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:openssh-debugsource:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20254112-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.