@hanno this question came up in the SSH world, relating to terminal SCP clients: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

An SCP client had some missing validation checks in download mode, allowing a malicious server to modify parts of the client's filesystem other than the ones the user authorised it to. As a side effect, the client printed diagnostics which would have given the game away – but the client was also happy to print unsanitised escape sequences sent by the SSH server, which allowed the malicious server to send a well chosen combination of 'move up, clear line of text' escapes to wipe those telltale diagnostics off the screen and allow the attack to go undetected.

In that context, the failure to sanitise escape sequences was assigned a CVE number. (In fact, two: CVE-2019-6109 and CVE-2019-6110.) But that was only because in that particular context it allowed the attacker to hide evidence of a more serious crime.

PuTTY's SCP client was not vulnerable to the 'missing validation check' issue, and didn't allow the server to make unauthorised modifications. It _did_ have the 'failure to sanitise escape sequences' issue, but we didn't regard this as a vulnerability when it _wasn't_ allowing the covering-up of a real attack, and the original researcher agreed.

(We did regard it as a _bug_, and we fixed it. But not, by itself, a vulnerability.)

@hanno this question came up in the SSH world, relating to terminal SCP clients: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

An SCP client had some missing validation checks in download mode, allowing a malicious server to modify parts of the client's filesystem other than the ones the user authorised it to. As a side effect, the client printed diagnostics which would have given the game away – but the client was also happy to print unsanitised escape sequences sent by the SSH server, which allowed the malicious server to send a well chosen combination of 'move up, clear line of text' escapes to wipe those telltale diagnostics off the screen and allow the attack to go undetected.

In that context, the failure to sanitise escape sequences was assigned a CVE number. (In fact, two: CVE-2019-6109 and CVE-2019-6110.) But that was only because in that particular context it allowed the attacker to hide evidence of a more serious crime.

PuTTY's SCP client was not vulnerable to the 'missing validation check' issue, and didn't allow the server to make unauthorised modifications. It _did_ have the 'failure to sanitise escape sequences' issue, but we didn't regard this as a vulnerability when it _wasn't_ allowing the covering-up of a real attack, and the original researcher agreed.

(We did regard it as a _bug_, and we fixed it. But not, by itself, a vulnerability.)

RondoDox botnet exploits React2Shell flaw to breach Next.js servers
https://www.bleepingcomputer.com/news/security/rondodox-botnet-exploits-react2shell-flaw-to-breach-nextjs-servers/

The RondoDox botnet has been observed exploiting the critical React2Shell flaw
(CVE-2025-55182) to infect vulnerable Next.js servers with malware and
cryptominers.

First documented by Fortinet in July 2025, RondoDox is a large-scale botnet
that targets multiple n-day flaws in global attacks. In November, VulnCheck
spotted new RondoDox variants that featured exploits for CVE-2025-24893, a
critical remote code execution (RCE) vulnerability in the XWiki Platform.

A new report from cybersecurity company CloudSEK notes that RondoDox started
scanning for vulnerable Next.js servers on December 8 and began deploying
botnet clients three days later.