CVE-2015-8325: The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabl...
The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.
Security readout for executives and security teams
This is a local privilege escalation in OpenSSH. It matters when an SSH server uses the uncommon UseLogin option and PAM accepts user-controlled environment files. A logged-in local user may be able to make login run with unsafe environment values and gain elevated privileges. Exposure is likely limited to systems running vulnerable OpenSSH builds with UseLogin enabled and PAM configured to read .pam_environment files in user home directories. The source bundle does not provide a complete vendor/product affected list. Treat as high priority for multi-user Linux/Unix servers, bastions, shared hosting, and environments with untrusted local accounts. Internet exposure alone is not enough; the critical condition is local user access plus the vulnerable OpenSSH/PAM configuration. Mitigation focus: Apply vendor OpenSSH security updates from your operating system or appliance provider.; Disable UseLogin unless a documented operational requirement exists.; Review PAM configuration for user-controlled environment file handling..
Prepared
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1262: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
2ADP providers
8Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1262 · source CWE mapping
Improper Access Control for Register Interface
Improper Access Control for Register Interface represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.