H3-2026-0007¶

SSH ControlMaster Socket Abuse

Description¶

A live SSH ControlMaster socket was found on the host, allowing an attacker to reuse an existing authenticated SSH tunnel to reach a remote system without any credentials.

Impact¶

An attacker with access to the host can hijack the SSH ControlMaster socket to execute commands on the remote system as the connected user, enabling lateral movement without credentials.

References¶

• MITRE ATT&CK Technique: T1563.001: Remote Service Session Hijacking: SSH Hijacking