Critical Open SSH Vulnerabilities Patch Prioritization
Query
// Critical OpenSSH Vulnerabilities – Patch Prioritization
// The following KQL identified all your internet facing OpenSSH servers vulnerable to CVE-2025-26466 and CVE-2025-26465. You should get your IT infra engineers to prioritize patching these servers to version 9.9p2 that is released on 18th Feb 2025. Let's Go ! 🛡️
// https://www.openwall.com/lists/oss-security/2025/02/18/1
// https://www.openssh.com/releasenotes.html
let InternetFacingEP =
DeviceInfo
| where IsInternetFacing == true and isnotempty(PublicIP)
| distinct DeviceId;
let OpenSSHFixedVersion = dynamic(["9.9p2"]); // https://www.openssh.com/releasenotes.html
DeviceTvmSoftwareInventory
| where SoftwareName has "openssh"
| where not (SoftwareVersion has_any(OpenSSHFixedVersion))
| where DeviceId has_any(InternetFacingEP)Explanation
This KQL query is designed to identify internet-facing servers running OpenSSH that are vulnerable to specific security vulnerabilities (CVE-2025-26466 and CVE-2025-26465). Here's a simple breakdown of what the query does:
-
Identify Internet-Facing Devices:
- It first filters the
DeviceInfotable to find devices that are accessible from the internet (i.e., they have a public IP address). - It collects the unique identifiers (
DeviceId) of these internet-facing devices.
- It first filters the
-
Check OpenSSH Version:
- It then looks into the
DeviceTvmSoftwareInventorytable to find devices that have OpenSSH installed. - It filters out devices that have not yet been updated to the secure version 9.9p2 of OpenSSH, which was released on February 18, 2025.
- It then looks into the
-
Output Vulnerable Devices:
- The query outputs a list of devices that are both internet-facing and running a vulnerable version of OpenSSH, indicating that these devices need to be prioritized for patching.
The goal is to help IT infrastructure engineers quickly identify and prioritize the patching of vulnerable OpenSSH servers to enhance security.
Details

Steven Lim
Released: February 18, 2025
Tables
DeviceInfoDeviceTvmSoftwareInventory
Keywords
DeviceInfoDeviceIdPublicIPSoftwareNameSoftwareVersionDeviceTvmSoftwareInventory
Operators
let|whereandisnotemptydistinctdynamichasnothas_any