PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-60060 TeraTerm Project CVE debrief

CVE-2026-60060 Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability exists in TTSSH2 plugin of Tera Term provided by TeraTerm Project. When Tera Term attempts to establish an SSH connection to a server set up by an attacker, out-of-bounds read/write may occur. The vulnerability may allow the contents of adjacent memory regions to be transmitted to the server, and Tera Term may behave unexpectedly or terminate abnormally. This issue affects users of Tera Term and TTSSH2 plugin, who should be aware of this vulnerability and take necessary actions to protect themselves.

Vendor
TeraTerm Project
Product
TTSSH2
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Tera Term and TTSSH2 plugin, administrators, and security teams should be aware of this vulnerability and take necessary actions to protect themselves. They should review their exposure, verify affected scope, and plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Technical summary

The TTSSH2 plugin of Tera Term is vulnerable to Improper Handling of Length Parameter Inconsistency (CWE-130). When Tera Term attempts to establish an SSH connection to a server set up by an attacker, out-of-bounds read/write may occur. As a result, the contents of adjacent memory regions may be transmitted to the server, and Tera Term may behave unexpectedly or terminate abnormally. The vulnerability is considered Medium priority due to the potential for unexpected behavior or abnormal termination of Tera Term.

Defensive priority

Medium priority due to the potential for unexpected behavior or abnormal termination of Tera Term.

Recommended defensive actions

  • Update TTSSH2 plugin to the latest version
  • Use secure SSH connections
  • Monitor Tera Term for unexpected behavior
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-17T05:16:41.360Z and has not been modified since then. The NVD entry is currently Received. The TTSSH2 plugin of Tera Term is vulnerable to Improper Handling of Length Parameter Inconsistency (CWE-130). When Tera Term attempts to establish an SSH connection to a server set up by an attacker, out-of-bounds read/write may occur. As a result, the contents of adjacent memory regions may be transmitted to the server, and Tera Term may behave unexpectedly or terminate abnormally. Users and administrators should verify their exposure and review vendor guidance for updates or mitigations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T05:16:41.360Z and has not been modified since then.