PatchSiren cyber security CVE debrief
CVE-2016-7407 Dropbear SSH Project CVE debrief
CVE-2016-7407 is a critical vulnerability in Dropbear SSH’s dropbearconvert command. According to the NVD record, versions through 2016.73 are affected, and a crafted OpenSSH key file can lead to arbitrary code execution. The NVD CVSS v3.0 vector rates the issue 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a remotely reachable, unauthenticated risk with high impact.
- Vendor
- Dropbear SSH Project
- Product
- CVE-2016-7407
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-03
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-03
- Advisory updated
- 2026-05-13
Who should care
Administrators and integrators who deploy Dropbear SSH, especially systems that include or expose the dropbearconvert utility, should prioritize this issue. It is most relevant anywhere untrusted OpenSSH key files may be processed, including embedded, appliance, and server environments that rely on Dropbear SSH versions before 2016.74.
Technical summary
The vulnerability is described as an arbitrary code execution issue in the dropbearconvert command when handling a crafted OpenSSH key file. NVD classifies the weakness as CWE-20 (Improper Input Validation). The affected version range in the NVD CPE data ends at 2016.73, with 2016.74 indicated as the fixed release boundary in the description.
Defensive priority
Critical. The combination of network attack vector, no privileges, no user interaction, and high confidentiality/integrity/availability impact warrants urgent patching or mitigation wherever Dropbear SSH is present.
Recommended defensive actions
- Upgrade Dropbear SSH to 2016.74 or later, based on the NVD affected-version boundary.
- Inventory systems that ship or bundle Dropbear SSH and verify whether dropbearconvert is installed or used.
- Restrict or remove workflows that accept untrusted OpenSSH key files until remediation is complete.
- Apply vendor or distribution advisories and patches referenced in the corpus, including the Dropbear patch link and Gentoo GLSA.
- If immediate upgrading is not possible, isolate affected hosts and limit exposure of any key-conversion workflows to trusted administrators only.
- Validate that downstream packages or firmware images have incorporated the fixed Dropbear release, not just the upstream source code.
Evidence notes
This debrief is based on the supplied NVD record and its linked references. The description explicitly states that dropbearconvert in Dropbear SSH before 2016.74 can execute arbitrary code via a crafted OpenSSH key file. The NVD CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CWE-20 classification support the severity and defensive urgency. The corpus also lists a version boundary of 2016.73 and references a patch, a mailing list post, and a Gentoo advisory.
Official resources
-
CVE-2016-7407 CVE record
CVE.org
-
CVE-2016-7407 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory, VDB Entry
Publicly disclosed in the supplied CVE record on 2017-03-03. The corpus also includes supporting references dated September 2016 and February 2017, but the CVE publication date should be treated as 2017-03-03. The record was last modified 4