Cyber Resilience

CVE-2026-12059

High

Published: 12 June 2026

Published
12 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 36.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-12059 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Org (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique SSH (T1021.004); ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct bypass of SSH command restrictions enables unauthorized Unix shell execution over the SSH remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References