2026-06-18 –, E112 (capacity 156)
In modern infrastructure, SSH remains the backbone of secure remote administration, but its advanced features have created unexpected attack surfaces. This talk explores three critical OpenSSH vulnerabilities (CVE-2023-51385, CVE-2025-61984, CVE-2025-61985) that demonstrate how attackers exploit expansion tokens in ProxyCommand, LocalCommand, and match exec directives.
Through live demonstrations, I'll show how malicious usernames, hostnames, and SSH URIs achieve arbitrary code execution via shell metacharacters, control character injection, and null byte truncation attacks.
Drawing from my experience fixing these CVEs in enterprise RHEL environments, I'll walk through real exploitation scenarios affecting CI/CD pipelines, corporate jump host architectures, and automated deployment systems.
I'll demonstrate how a single malicious SSH URI can compromise entire CI/CD pipelines, and how control characters in LDAP-sourced usernames enable lateral movement across production networks.
Suyash Nalawade is a security-focused Software Engineer at Red Hat specializing in Linux, vulnerability research, and CVE remediation. His work focuses on Enterprise Linux security and critical infrastructure protection. He is known for delivering practical, demo-driven talks on offensive and defensive security, and contributes to open source while volunteering in community security events.