KQL Search

Query Details

HomeAI ToolsDevice Query

Critical Open SSH Vulnerabilities Patch Prioritization

Query

// Critical OpenSSH Vulnerabilities – Patch Prioritization

// The following KQL identified all your internet facing OpenSSH servers vulnerable to CVE-2025-26466 and CVE-2025-26465. You should get your IT infra engineers to prioritize patching these servers to version 9.9p2 that is released on 18th Feb 2025. Let's Go ! 🛡️

// https://www.openwall.com/lists/oss-security/2025/02/18/1
// https://www.openssh.com/releasenotes.html

let InternetFacingEP =
DeviceInfo
| where IsInternetFacing == true and isnotempty(PublicIP)
| distinct DeviceId;
let OpenSSHFixedVersion = dynamic(["9.9p2"]); // https://www.openssh.com/releasenotes.html
DeviceTvmSoftwareInventory
| where SoftwareName has "openssh"
| where not (SoftwareVersion has_any(OpenSSHFixedVersion))
| where DeviceId has_any(InternetFacingEP)

Explanation

This KQL query is designed to identify internet-facing servers running OpenSSH that are vulnerable to specific security vulnerabilities (CVE-2025-26466 and CVE-2025-26465). Here's a simple breakdown of what the query does:

  1. Identify Internet-Facing Devices:

    • It first filters the DeviceInfo table to find devices that are accessible from the internet (i.e., they have a public IP address).
    • It collects the unique identifiers (DeviceId) of these internet-facing devices.

  2. Check OpenSSH Version:

    • It then looks into the DeviceTvmSoftwareInventory table to find devices that have OpenSSH installed.
    • It filters out devices that have not yet been updated to the secure version 9.9p2 of OpenSSH, which was released on February 18, 2025.

  3. Output Vulnerable Devices:

    • The query outputs a list of devices that are both internet-facing and running a vulnerable version of OpenSSH, indicating that these devices need to be prioritized for patching.

The goal is to help IT infrastructure engineers quickly identify and prioritize the patching of vulnerable OpenSSH servers to enhance security.

Details

Steven Lim profile picture

Steven Lim

Released: February 18, 2025

Tables

DeviceInfoDeviceTvmSoftwareInventory

Keywords

DeviceInfoDeviceIdPublicIPSoftwareNameSoftwareVersionDeviceTvmSoftwareInventory

Operators

let|whereandisnotemptydistinctdynamichasnothas_any

Actions