SFTP password exposed in logs

clamur · March 30, 2026, 4:53pm

Hi all,

my SOC has opened an incident because it appears that the credentials entered in an SSH connector are exposed in the logs.
Here is a screenshot of the connector:

These are the notes from my SOC:

Due to the use of an improper credential masking method in a command line, the credentials for the account listed below have been exposed.

Security Risk

The SFTP username and password were passed in cleartext on the command line, exposing them to local command history and anyone with access to the machine.
The full command including credentials was ingested by logging/SIEM systems, making the credentials visible to all users with access to those logs.
This exposure could allow unauthorized SFTP access to the associated system or data.

Does anyone know why the password is exposed in the logs and whether there is a solution to this issue?

Thank you

Claudio

andrew.rybka · March 30, 2026, 9:03pm

Hi Claudio,

The password is definitely not exposed in EasyMorph logs. So it looks like they are talknig about logs on the SFTP server side?

clamur · April 1, 2026, 9:32am

Hi Andrew and thanks for your response,

following that, I asked our SOC team to take a closer look at the root cause of the issue. We found that it does not originate from the Easymorph logs, but rather from another batch process.

So, thank you and apologies for the misunderstanding and the time wasted.

andrew.rybka · April 1, 2026, 3:34pm

Hi Claudio,

No worries. Thank you for the update.