SSHamble: New Open-Source Tool for Exploiting SSH Protocol Flaws

Security researchers have uncovered multiple critical vulnerabilities in SSH (Secure Shell) implementations across the internet, with new findings from DEFCON 33 revealing that millions of servers remain exposed to remote code execution attacks and authentication bypasses.

Major SSH Vulnerabilities Threaten Enterprise Infrastructure

The most severe discovery involves an Erlang OTP SSH remote code execution vulnerability (CVE-2023-48795) that allows attackers to execute arbitrary code before encryption even begins.

According to researchers from Ruhr University Bochum, the vulnerability exploits a state machine bug that accepts malicious messages after version negotiation.

“The exploit is trivially simple – a one-liner can achieve direct remote evaluation of Erlang code,” noted security researcher Fabian Bäumer.

The vulnerability particularly impacts Cisco NETCONF ConfD systems, which are widely deployed in enterprise networking infrastructure.

Other critical vulnerabilities include the RegreSSHion bug (CVE-2024-6387) affecting OpenSSH, which enables unauthenticated remote root code execution through signal re-entrance exploitation.

The MOVEit Transfer vulnerability (CVE-2024-5806) demonstrates how third-party SSH libraries can introduce authentication bypass flaws, allowing attackers to use UNC paths for unauthorized access.

Recent discoveries also include a Go SSH authentication bypass (CVE-2024-45337) where buggy applications incorrectly validate public keys, and Cisco Unified CM hardcoded root passwords (CVE-2025-20309) affecting specific version ranges.

Internet-Scale SSH Exposure

New research using the SSHamble security tool has scanned approximately 22 million IPv4 addresses running SSH on port 22, with 15.4 million reaching authentication state and 48,000 resulting in successful sessions.

Despite improvements in filtering out tarpits, researchers identified three persistent common issues: hardcoded/reused host keys, authentication bypasses, and pre-authentication port forwarding vulnerabilities.

The adoption of OpenSSH 9.8’s PerSourcePenalties feature remains critically low, with fewer than 500,000 servers out of 20 million exposed OpenSSH instances running version 9.8 or newer.

This security feature implements default rate limiting that significantly hampers exploitation attempts.

Analysis shows that while total SSH exposure has decreased from 27 million to 22 million addresses since 2024, the proportion of valid SSH servers has increased, suggesting better filtering of honeypots and tarpits but persistent real vulnerabilities.

Enhanced Security Tools Combat SSH Threat Landscape

0.2.x with enhanced capabilities, including automatic BadKeys.info blocklist lookups, expanded authentication bypass detection methods, and experimental blind execution vulnerability checks.

The tool now supports over 30 built-in security tests, ranging from auth-none and skip-auth methods to vuln-tcp-forward and vuln-exec-skip-auth checks.

bash$ sshamble scan -o results.json 192.168.0.0/24 
--users root,admin,jenkins 
--password-file passwords.txt 
-p 22,2222 
--interact first

Integration with Nuclei templates allows security teams to incorporate SSH vulnerability detection into existing scanning workflows, making enterprise-scale assessments more accessible.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post SSHamble: New Open-Source Tool for Exploiting SSH Protocol Flaws appeared first on Cyber Security News.