RegreSSHion Vulnerability Remediation

Copper Contributor

Being that a critical CVE has been identified (RegreSSHion) and Windows Server 2025 has OpenSSH installed by default, what is Microsoft's plan to remediate this?  The feature is disabled by default, but installed already - causing it to show as "out of compliance" in vulnerability scans.

 

Read below:

 

CVE-2024-6387: How to fix the regreSSHion vulnerability | Vulcan Cyber

4 Replies

@xTheMan42 MS Windows Server vNEXT (2025) is a preview product, of course it will be out of compliance in many ways. Feature should update through Windows Update or later builds, but who knows when.

@gabrielgbs97 

 

I don't disagree, but the goal is to identify these issues and get them remediated before GA.

have to weigh the benefits versus possible exploitation. openssh and associated encryption tools would be better to have on a system than telnet.exe for example. Both are sometimes needed.

Still, is there a statement from Microsoft that its OpenSSH build is affected? I thought it was related with glibc, and Qualys said that macOS/Windows exploitation was uncertain, and it required further analisys.