Hi Albert, 2024.86 is affected.
On 2025-05-13 2:47 am, Albert Veli wrote:
I'm currently triaging CVE-2025-47203 to determine whether an embedded system we maintain is actually affected. It runs 2024.86, and is built with DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_MULTIHOP enabled. However, despite attempting various multihop hostname inputs containing shell metacharacters (e.g. semicolons, backticks, pipes, $(cmd)), I’ve been unable to trigger any shell execution or command injection. All such inputs are interpreted literally as hostnames. I have two main questions: 1. Is there a reliable way to confirm from the command line whether I'm vulnerable?
dbclient 'localhost,|touch 123 ' stdout is captured, stderr isn't.
2. Both dbclient and ssh are symlinks to the same dropbear binary. Does this CVE apply equally to both, or is it specific to dbclient?
It applies to both. Cheers, Matt
