CVE-2025-11624
📋 TL;DR
This CVE describes a stack buffer overflow vulnerability in wolfSSH's SFTP server when processing malicious packets with oversized handles. Attackers could execute arbitrary code or crash the service. Any system running vulnerable versions of wolfSSH with SFTP server enabled is affected.
💻 Affected Systems
- wolfSSH
📦 What is this software?
Wolfssh by Wolfssh
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, privilege escalation, and lateral movement within the network.
Likely Case
Service crash causing denial of service, potentially allowing attackers to bypass authentication or gain limited code execution.
If Mitigated
Service crash with limited impact if proper segmentation and least privilege controls are implemented.
🎯 Exploit Status
Exploitation requires sending specially crafted SFTP packets. The vulnerability is in packet parsing logic, making reliable exploitation possible but requiring understanding of the protocol.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing the fix from PR #834
Vendor Advisory: https://github.com/wolfSSL/wolfssh/pull/834
Restart Required: Yes
Instructions:
1. Update wolfSSH to the latest version containing the fix from PR #834. 2. Recompile and reinstall if using source. 3. Restart all services using wolfSSH SFTP functionality.
🔧 Temporary Workarounds
Disable SFTP Server
allTemporarily disable SFTP server functionality if not required
Configure wolfSSH to disable SFTP server support
Network Segmentation
linuxRestrict access to SFTP servers using firewall rules
iptables -A INPUT -p tcp --dport 22 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit SFTP server exposure
- Monitor for abnormal SFTP traffic patterns and connection attempts
🔍 How to Verify
Check if Vulnerable:
Check wolfSSH version and verify if it includes the fix from PR #834. Review compilation flags to confirm SFTP server is enabled.Check Version:
wolfssh-config --version or check library version in applicationVerify Fix Applied:
Verify the installed wolfSSH version is newer than the vulnerable version. Test SFTP functionality with normal operations.📡 Detection & Monitoring
Log Indicators:
- SFTP server crashes
- Abnormal SFTP packet size errors
- Memory corruption warnings in system logs
Network Indicators:
- Unusual SFTP packet sizes
- Multiple failed SFTP connections from single source
- SFTP traffic patterns deviating from normal
SIEM Query:
source="*ssh*" AND ("crash" OR "buffer overflow" OR "segmentation fault")