RegreSSHion (CVE-2024-6387) proved particularly dangerous, enabling unauthenticated remote code execution through a signal reentrance vulnerability in OpenSSH. The vulnerability affected countless Linux systems and network appliances running vulnerable OpenSSH versions, though exploitation proved challenging due to modern memory protections.
The MOVEit vulnerability (CVE-2024-5806) demonstrated how third-party SSH libraries could introduce unexpected attack vectors. In this case, the IPWorks SSH library treated public key authentication data as file paths, enabling authentication bypass.
Internet-wide scanning reveals persistent exposure patterns
It’s bad enough that there have been many publicly disclosed SSH issues. What makes it potentially even worse is how open so many SSH servers are to the public internet.
Moore’s comprehensive scanning of IPv4 space revealed significant trends in SSH exposure. The research identified approximately 22 million addresses with port 22 open, down from 27 million in 2024. Port 22 is the default networking port used for SSH. Of this 22 million, the scan was able to get to an SSH authentication stage on 15.4 million devices.
The data showed concerning patterns in implementation diversity. While OpenSSH and Dropbear account for roughly 98% of SSH implementations, the remaining 2% consists of embedded devices, network equipment and specialized applications that frequently contain vulnerabilities. These non-standard implementations often appear in critical infrastructure components including industrial control systems, network appliances and file transfer solutions.
Patch adoption remains critically low
One of the most troubling findings concerned the adoption rate of security improvements.
