VanDyke Software

Security Advisory

Security Advisory

VanDyke Software SecureCRT memory corruption vulnerability (CVE-2020-12651)

Risk assessment: Low

Posted: May 18, 2020


A memory corruption vulnerability has been discovered in SecureCRT. If certain emulation functions receive a large negative number, the remote system could corrupt memory in the terminal process, potentially causing SecureCRT to crash or the execution of arbitrary code.

In order to exploit this vulnerability, a malicious control sequence supported by the terminal emulation being used would have to be sent by a device to which a successful connection had already been established.

In internal testing, attempting to exploit this vulnerability resulted in a SecureCRT crash.

Products Not Affected

  • SecureCRT 8.7.2 and newer versions for Windows, macOS, and supported Linux platforms.

Products Affected

  • SecureCRT 8.7.1 and earlier versions for Windows, macOS, and supported Linux platforms.
  • SecureCRT 2.3.1 and earlier for iOS.

Recommended Solution

Upgrade to SecureCRT 8.7.2 or later on Windows, macOS, and supported Linux platforms

Upgrade to SecureCRT 2.4 or later on iOS.

Vulnerability Fix Downloads

  • SecureCRT 8.7.2 or later.
  • Please email for a pre-release version of SecureCRT for iOS 2.4. This version will be officially released soon.

Official Postings


Reported by Tavis Ormandy of Google Project Zero.

Revision History

May 18, 2020 – Security Advisory Published

VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.