CVE-2023-38408
OpenSSH SSH-Agent Remote Code Execution via Insufficient Trust in Search Path
Description
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
INFO
Published Date :
July 20, 2023, 3:15 a.m.
Last Modified :
Nov. 21, 2024, 8:13 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update OpenSSH to version 9.3p2 or later.
- Update the affected packages based on vendor guidance.
Public PoC/Exploit Available at Github
CVE-2023-38408 has a 146 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-38408.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-38408 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-38408
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Advanced network vulnerability scanner — multi-threaded TCP port scanner, banner grabbing, 30+ service signatures, 22+ embedded CVEs, live NVD API integration, and auto-generated triage reports. Pure Python 3, zero dependencies. Educational & authorized testing only.
Python
Modular async port scanner with ML-powered prioritization, CVE detection, and OS fingerprinting — built for Red Teams and security researchers
asyncio bugbounty cve-detection cybersecurity ethical-hacking infosec machine-learning networking offensive-security osint penetration-testing port portscanner python reconnaissance red-team scapy security-tools vulnerability-scanner
Python Batchfile Shell Dockerfile
Build a Python/Bash tool that chains Nmap → Shodan API → vulnerability lookup automatically.
Python
None
GhostVenumAI Final Edition — Defensive AI network analysis platform with autonomous Claude agents, enterprise compliance (ISO 27001, DSGVO, BSI) and encrypted vault
Python Shell CSS JavaScript HTML
None
Python
VulnScope — Vulnerability Intelligence Platform
Dockerfile HTML
A professional Python desktop tool for network vulnerability assessment — banner grabbing, service detection, CVE matching, NVD API lookup, and triage reporting in a dark-themed GUI. For educational and authorized testing only.
Python
Built to understand what a real SOC analyst sees day-to-day — monitors live network traffic, auto-creates incidents, scans CVEs via NVD, and maps detections to MITRE ATT&CK. Python/Flask backend with AbuseIPDB + URLhaus threat feeds. Hands-on network security, incident response, and log analysis.
HTML Python
try hack me room solutions
None
Python HTML
Defensive network analysis tool with autonomous AI agents (Claude + OpenAI). Nmap scanning, CVE lookup via NVD, automated remediation reports. Web GUI + CLI.
Python CSS JavaScript HTML
Network Reconnaissance & Vulnerability Scanner — Recon • Port Scan • CVE Detection
claude-ai vulnerability-scanners custom-network-scanner
Python
None
Shell
None
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-38408 vulnerability anywhere in the article.
-
Daily CyberSecurity
A Single Line of Code: Pre-Auth OpenSSH Flaw Exposes Ubuntu and Debian Servers
A flaw has been found in the machinery of OpenSSH. Security researcher Jeremy Brown recently uncovered a critical vulnerability lurking within the GSSAPI Key Exchange patch, a popular modification man ... Read more
-
Daily CyberSecurity
Industrial Alert: Critical Auth Bypass (CVSS 9.2) Hits Moxa Switches
Industrial networking giant Moxa has issued a high-severity security advisory urging customers to patch a wide range of Ethernet switches against a critical authentication bypass vulnerability. The fl ... Read more
-
CybersecurityNews
Critical OpenSSH Vulnerability Exposes Moxa Ethernet Switches to Remote Code Execution
Moxa has issued a critical security advisory regarding CVE-2023-38408, a severe vulnerability in OpenSSH affecting multiple Ethernet switch models. The flaw, with a CVSS 3.1 score of 9.8, allows unaut ... Read more
-
Daily CyberSecurity
Critical Alert: Moxa Switches Exposed to OpenSSH Remote Code Execution (CVSS 9.8)
A critical security vulnerability has been identified in Moxa’s industrial ethernet switches, threatening the integrity of operational technology (OT) networks. The vulnerability, tracked as CVE-2023- ... Read more
-
Help Net Security
Energy companies are blind to thousands of exposed services
Many of America’s largest energy providers are exposed to known and exploitable vulnerabilities, and most security teams may not even see them, according to a new report from SixMap. Researchers asses ... Read more
-
TheCyberThrone
CVE-2025-32433 impacts Erlang/OTP
The CVE-2025-32433 vulnerability, identified in the Erlang/OTP SSH library, is a severe remote code execution (RCE) flaw that allows unauthenticated attackers to execute arbitrary commands during SSH ... Read more
-
InfoSec Write-ups
HTB — Busqueda
HTB — BusquedaPhoto by Duncan Meyer on UnsplashAbout the machineBusqueda is an Easy Difficulty Linux machine that involves exploiting a command injection vulnerability present in a Python module. By l ... Read more
-
Cyber Security News
Technical Analysis Published for OpenSSH’s Agent Forwarding RCE Vulnerability
Security researchers have published a detailed technical analysis of a critical remote code execution (RCE) vulnerability (CVE-2023-38408) in OpenSSH’s agent forwarding feature that was disclosed in J ... Read more
-
Dark Reading
Targeted by Ransomware, Middle East Banks Shore Up Security
Source: VideoFlow via ShutterstockBanks and financial services firms across the Middle East weathered simulated attacks at the fourth annual Cyber Wargaming exercise in the United Arab Emirates last w ... Read more
-
The Register
QNAP and Veritas dump 30-plus vulns over the weekend
Taiwanese NAS maker QNAP addressed 24 vulnerabilities across various products over the weekend. The flaws include two critical and nine "high" severity vulnerabilities, potentially resulting in code e ... Read more
The following table lists the changes that have been made to the
CVE-2023-38408 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/1 Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/2 Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/11 Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/9 Added Reference https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent Added Reference https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 Added Reference https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d Added Reference https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca Added Reference https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html Added Reference https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ Added Reference https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ Added Reference https://news.ycombinator.com/item?id=36790196 Added Reference https://security.gentoo.org/glsa/202307-01 Added Reference https://security.netapp.com/advisory/ntap-20230803-0010/ Added Reference https://support.apple.com/kb/HT213940 Added Reference https://www.openssh.com/security.html Added Reference https://www.openssh.com/txt/release-9.3p2 Added Reference https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt Added Reference https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 15, 2024
Action Type Old Value New Value Added CWE CISA-ADP CWE-428 Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Apr. 04, 2024
Action Type Old Value New Value Added Reference MITRE https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408 [No types assigned] -
CVE Modified by [email protected]
Dec. 22, 2023
Action Type Old Value New Value Added Reference MITRE https://support.apple.com/kb/HT213940 [No types assigned] -
CVE Modified by [email protected]
Nov. 07, 2023
Action Type Old Value New Value Added Reference MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ [No types assigned] Added Reference MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ [No types assigned] Removed Reference MITRE https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ Removed Reference MITRE https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ -
CVE Modified by [email protected]
Sep. 23, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/11 [No Types Assigned] -
CVE Modified by [email protected]
Sep. 22, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/9 [No Types Assigned] -
CVE Modified by [email protected]
Aug. 17, 2023
Action Type Old Value New Value Added Reference https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html [No Types Assigned] -
CVE Modified by [email protected]
Aug. 03, 2023
Action Type Old Value New Value Added Reference https://security.netapp.com/advisory/ntap-20230803-0010/ [No Types Assigned] -
Initial Analysis by [email protected]
Jul. 31, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Changed Reference Type http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html No Types Assigned http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/20/1 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/20/1 Exploit, Mailing List, Third Party Advisory Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/20/2 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/20/2 Mailing List, Third Party Advisory Changed Reference Type https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent No Types Assigned https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent Third Party Advisory Changed Reference Type https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 No Types Assigned https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 Patch Changed Reference Type https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d No Types Assigned https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d Patch Changed Reference Type https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca No Types Assigned https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca Patch Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ Mailing List Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ Mailing List Changed Reference Type https://news.ycombinator.com/item?id=36790196 No Types Assigned https://news.ycombinator.com/item?id=36790196 Issue Tracking, Patch Changed Reference Type https://security.gentoo.org/glsa/202307-01 No Types Assigned https://security.gentoo.org/glsa/202307-01 Third Party Advisory Changed Reference Type https://www.openssh.com/security.html No Types Assigned https://www.openssh.com/security.html Vendor Advisory Changed Reference Type https://www.openssh.com/txt/release-9.3p2 No Types Assigned https://www.openssh.com/txt/release-9.3p2 Release Notes Changed Reference Type https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt No Types Assigned https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt Exploit, Third Party Advisory Added CWE NIST CWE-428 Added CPE Configuration OR *cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:* versions up to (excluding) 9.3 *cpe:2.3:a:openbsd:openssh:9.3:-:*:*:*:*:*:* *cpe:2.3:a:openbsd:openssh:9.3:p1:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* *cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* -
CVE Modified by [email protected]
Jul. 28, 2023
Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ [No Types Assigned] -
CVE Modified by [email protected]
Jul. 23, 2023
Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/2 [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/1 [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference https://security.gentoo.org/glsa/202307-01 [No Types Assigned]