Cyber Resilience

CVE-2012-10060

CriticalPublic PoCUpdated

Published: 13 August 2025

Published
13 August 2025
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7948 99.1th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-10060 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Sysax Multi Server. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2012-10060 is a stack-based buffer overflow vulnerability (CWE-121) affecting the SSH service in Sysax Multi Server versions prior to 5.55. The issue arises when a remote attacker supplies an overly long username during authentication, causing the server to copy the input into a fixed-size stack buffer without proper bounds checking. This flaw enables remote code execution in the context of the service, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker can exploit this vulnerability by connecting to the SSH service and submitting a specially crafted, excessively long username. Successful exploitation leads to arbitrary code execution with the privileges of the Sysax Multi Server service, potentially allowing full system compromise on affected Windows hosts.

References include a CheckPoint advisory (cpai-23-sepc) and multiple public exploits, such as a Metasploit module for the Sysax SSH username overflow and Exploit-DB entries (18535, 18557), indicating the vulnerability has been publicly documented since 2012. Mitigation involves upgrading to Sysax Multi Server version 5.55 or later, as prior versions are vulnerable.

Public proof-of-concept exploits have been available since early 2012, including detailed write-ups and automated tools, highlighting the vulnerability's long-standing exposure despite its recent CVE assignment in 2025.

EU & UK References

Vulnerability details

Sysax Multi Server versions prior to 5.55 contain a stack-based buffer overflow in its SSH service. When a remote attacker supplies an overly long username during authentication, the server copies the input to a fixed-size stack buffer without proper bounds…

more

checking. This allows remote code execution under the context of the service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in public-facing SSH service directly enables remote unauthenticated code execution via exploitation of a network-accessible application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-54337Same product: Sysax Multi Server
CVE-2024-53458Same product: Sysax Multi Server
CVE-2025-11779Shared CWE-121
CVE-2026-25823Shared CWE-121
CVE-2025-69766Shared CWE-121
CVE-2025-60691Shared CWE-121
CVE-2019-25364Shared CWE-121
CVE-2026-39047Shared CWE-121
CVE-2025-69764Shared CWE-121
CVE-2019-25319Shared CWE-121

Affected Assets

sysax
multi server
≤ 5.55

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including SSH usernames) to enforce length and format checks that would have blocked the oversized username triggering the stack overflow.

prevent

Mandates prompt application of vendor patches, directly eliminating the buffer-overflow flaw by upgrading Sysax Multi Server to version 5.55 or later.

prevent

Implements memory-protection mechanisms (e.g., ASLR, DEP, stack canaries) that can block successful exploitation of the stack-based overflow even if malicious input reaches the service.

References