A new vulnerability has been discovered in the SSH client program dbclient, part of the project Dropbear. The vulnerability, identified as CVE-2025-47203, was published in a recent report. This vulnerability allows attackers to execute Shell commands by manipulating the host name during processing.
The issue arises from the fact that the command interpreter launches the Multihop command without properly sanitizing special characters in the host name. This oversight can be exploited to execute arbitrary commands on systems that use DBClient with unverified host names.
This newly discovered vulnerability poses a significant security risk to systems using Dropbear’s SSH client. It is crucial for administrators to update their systems to the latest version, which includes a patch to eliminate this vulnerability. More information about the vulnerability can be found here.