OpenSSH DoS due to signal handler race condition

Advisory Information

• Advisory ID: BOSCH-SA-085467-BT
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2006-5051
    • Base Score: 8.1 (High)
    • Environmental Score: 5.9 (Medium)
• Published: 19 Nov 2025
• Last Updated: 19 Nov 2025

Summary

MAP 5000 is affected by an OpenSSH vulnerability which is enabled in a backwards compatibility mode. It allows remote attackers to cause a denial-of-service (DoS) by crashing the panel.

Affected Products

• Bosch MAP 5000 family
  • CVE-2006-5051
    • Version(s): < Bundle 1.48.0, Firmware 1.4.0288

Solution and Mitigations

Software Updates

The recommended approach is to update the affected Bosch firmware. If an update is not possible in a timely manner, users are recommended to follow the mitigations and workarounds described in the following section. The versions to fix this issue are listed in the Advisory Appendix.

A reboot of the device is required after uploading the update.

The version of the firmware should be checked after the update to confirm successful installation.

Don’t Use Backward Compatible SSH

In RPS under Control Panel Network Security , make sure the entry Secure Shell Protocol (SSH) is set to 2048 bit . The vulnerability is introduced due to backwards compatibility configuration option with 1024 bit , which is not recommended. The 2048 bit setting must be used to be unaffected by this vulnerability.

Network Segmentation

By segmenting the network, you can make it more difficult for an attacker to move laterally within the network, thus reducing the likelihood of a successful attack.

Vulnerability Details

CVE-2006-5051

A vulnerable OpenSSH version being enabled in a backwards compatibility mode may cause a denial of service (crash). Because MAP 5000 doesn't use GSSAPI authentication, further exploitation is mitigated and the severity of this vulnerability is reduced accordingly.

CVE description: Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.

• Problem Type:
  • CWE-415 Double Free
• CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:H
  • Base Score: 8.1 (High)
  • Environmental Score: 5.9 (Medium)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Contact us webpage: https://www.boschsecurity.com/en/contact/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 19 Nov 2025: Initial Publication

Appendix

Certified Partner Portal

Firmware can be downloaded from the Certified Partner Portal. To get access to the Certified Partner Portal, please get in contact with your authorized MAP sales representative.

Fixed Versions