Security Research Findings
SSH-MITM was originally developed as an active security research tool — not just to intercept sessions, but to understand how SSH clients behave when confronted with a manipulated server. Operating from the Man-in-the-Middle position makes it possible to observe authentication flows, protocol negotiations, and client-side decisions that are invisible from either endpoint alone.
During this research, several previously unknown vulnerabilities were discovered in widely-deployed SSH software. Each was reported to the respective vendor, assigned a CVE number, and in most cases led to a fixed release.
CVSS 8.1
PuTTY before 0.71 accepted trivial authentication silently — no indicator was shown when a server granted access without requiring credentials. Invisible to the user even while being actively exploited.
CVSS 3.7
OpenSSH clients using FIDO2 hardware tokens with agent forwarding could not determine whether a key confirmation was for their own connection or for an attacker’s connection through a forwarded agent.
CVSS 8.1
The Dropbear SSH client accepted trivial authentication without warning, making it susceptible to silent Man-in-the-Middle credential harvesting — particularly relevant on embedded systems and IoT devices.
CVSS 7.5
Midnight Commander performed no SSH host key verification when opening remote connections, allowing a MitM attacker to intercept sessions without detection.
CVSS 5.4
MobaXterm did not warn users when an SSH server’s host key changed, suppressing the standard security prompt that would normally alert a user to a potential Man-in-the-Middle attack.
CVSS 5.4
MobaXterm used a hardcoded password (MobaPasswordCancel) internally. In
combination with a MitM server, this could be used to trigger fail2ban bans
against the legitimate user.