An unauthenticated command injection vulnerability in Cockpit's login flow allows an attacker to execute arbitrary shell commands on the host system.

The vulnerability exists because Cockpit passes user-supplied hostnames and usernames directly to the SSH client without validation. An unauthenticated attacker can inject malicious SSH options or shell commands into the login request, triggering execution on the host server before any credentials are verified.

This is a critical vulnerability (CVSS 9.8) that allows for complete, unauthenticated remote code execution. The impact includes full system takeover, unauthorized access to the underlying server, and potential lateral movement within the network, justifying an immediate emergency response.

Immediate Action: Apply the latest security patches provided by the Cockpit vendor immediately.

Proactive Monitoring: Monitor access logs for anomalous login requests containing non-standard characters or shell command syntax.

Compensating Controls: Restrict access to the Cockpit web interface to trusted IP addresses or internal networks using a VPN or firewall rules to minimize exposure to external threats.

Public Exploit Available: No

This vulnerability is highly severe as it requires no authentication to execute code on the host. Organizations must ensure that all instances of Cockpit are updated immediately and that access is restricted to authorized personnel only.