CVE-2024-6387

HIGHNVD 8.18.1
EchelonGraph scoreMEDIUM confidence

Score 8.1 from GitHub Security Advisory (severity: HIGH) published 2024-07-01. NVD baseline CVSS 8.1; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, nvd
Weaponized
8.1
EchelonGraph verdictPatch this weekExploitation is likely or a public exploit exists.
  • 958 internet-exposed hosts are running an affected version right now
  • High exploitation likelihood — EPSS 100%
CISA-KEV: Not listedEPSS: 100%CVSS: 8.1Exploit: NoneExposed: 958

A fix is available — apply it.

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Live · internet exposure

958 internet-exposed hosts are running an affected version of CVE-2024-6387 right now.

across 60 countries (United States, Germany, China, France, Singapore)top: openssh
See the live KEV-Exposure radar →Found passively from public internet-scan data — aggregate, host-redacted.

EchelonGraph is the only CVE feed that fuses live vulnerability intelligence with its own live internet-exposure radar — so you see not just that a CVE is exploited, but how much of the internet is exposed to it right now.

CVSS v3
8.1
EG Score
8.1(medium)
EPSS
99.9%
KEV
Not listed

Published

July 1, 2024

Last Modified

May 12, 2026

Advisory Details (10)

Auto-updated May 12, 2026
🔬 Proof of concept available. Patch available. Sources: redhat.
generic🟡 PoC Available

blog | The public blog of Santander Cyber Security Research

https://santandersecurityresearch.github.io/blog/sshing_the_masses.html
redhat Patch Available

2294604 – (CVE-2024-6387, regreSSHion) CVE-2024-6387 openssh: regreSSHion - race condition in SSH allows RCE/DoS

Affected: Red Hat Enterprise Linux 9

https://bugzilla.redhat.com/show_bug.cgi?id=2294604
redhat Patch Available

cve-details

https://access.redhat.com/security/cve/CVE-2024-6387
redhat Patch Available

Affected: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

https://access.redhat.com/errata/RHSA-2024:4389
redhat Patch Available

Affected: Red Hat Enterprise Linux 9.2 Extended Update Support.

https://access.redhat.com/errata/RHSA-2024:4340
redhat Patch Available

Affected: Red Hat Enterprise Linux 9.

https://access.redhat.com/errata/RHSA-2024:4312

Patch Availability(8)

Vendor / EcosystemFixed in / PatchReleasedSource
ubuntussh-askpass-gnome (1:9.6p1-3ubuntu13.3) @ noble2026-05-22ubuntu
redhatrhcos-415.92.202407091355-02024-07-18redhat
redhatrhcos-413.92.202407091321-02024-07-17redhat
redhatrhcos-414.92.202407091253-02024-07-17redhat
redhatrhcos-416.94.202407081958-02024-07-16redhat
redhatopenssh-0:8.7p1-12.el9_0.12024-07-08redhat
redhatopenssh-0:8.7p1-30.el9_2.42024-07-05redhat
redhatopenssh-0:8.7p1-38.el9_4.12024-07-03redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Additional Vendor Advisories

(2)

Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.

Data Freshness Timeline

(refreshed 3× in last 7d / 8× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-11 03:52 UTCOSV refresh
  2. 2026-07-06 16:26 UTCEPSS rescore
  3. 2026-07-06 16:26 UTCEPSS rescore
  4. 2026-06-22 11:02 UTCOSV refresh
  5. 2026-06-16 17:52 UTCEPSS rescore
  6. 2026-06-15 17:48 UTCEPSS rescore
  7. 2026-06-12 23:11 UTCEPSS rescore
  8. 2026-06-12 23:11 UTCEPSS rescore
  9. 2026-06-11 13:59 UTCEPSS rescore
  10. 2026-06-11 13:59 UTCEPSS rescore
  11. 2026-06-10 22:18 UTCEPSS rescore
  12. 2026-06-10 22:18 UTCEPSS rescore
  13. 2026-06-10 13:21 UTCEPSS rescore
  14. 2026-06-08 14:16 UTCEPSS rescore
  15. 2026-06-08 14:16 UTCEPSS rescore
  16. 2026-06-07 15:24 UTCEPSS rescore
  17. 2026-06-07 15:24 UTCEPSS rescore
  18. 2026-06-06 13:46 UTCEPSS rescore
  19. 2026-06-06 13:46 UTCEPSS rescore
  20. 2026-06-05 22:46 UTCEPSS rescore
  21. 2026-06-05 22:46 UTCEPSS rescore
  22. 2026-06-05 06:09 UTCEPSS rescore
  23. 2026-06-05 06:09 UTCEPSS rescore
  24. 2026-06-04 15:39 UTCOSV refresh
  25. 2026-06-02 20:12 UTCEPSS rescore
Show 29 more
  1. 2026-06-02 20:12 UTCEPSS rescore
  2. 2026-06-01 13:51 UTCEPSS rescore
  3. 2026-06-01 13:51 UTCEPSS rescore
  4. 2026-06-01 13:51 UTCEPSS rescore
  5. 2026-05-31 22:30 UTCEPSS rescore
  6. 2026-05-31 22:30 UTCEPSS rescore
  7. 2026-05-31 00:16 UTCEPSS rescore
  8. 2026-05-31 00:16 UTCEPSS rescore
  9. 2026-05-29 13:43 UTCEPSS rescore
  10. 2026-05-28 13:44 UTCEPSS rescore
  11. 2026-05-28 13:44 UTCEPSS rescore
  12. 2026-05-28 13:44 UTCEPSS rescore
  13. 2026-05-27 13:40 UTCEPSS rescore
  14. 2026-05-27 13:40 UTCEPSS rescore
  15. 2026-05-22 21:16 UTCEPSS rescore
  16. 2026-05-22 21:16 UTCEPSS rescore
  17. 2026-05-22 21:16 UTCEPSS rescore
  18. 2026-05-22 21:16 UTCEPSS rescore
  19. 2026-05-22 00:36 UTCEG score recompute
  20. 2026-05-22 00:36 UTCVendor advisory
  21. 2026-05-22 00:36 UTCGHSA enrichment
  22. 2026-05-21 22:42 UTCEPSS rescore
  23. 2026-05-20 22:37 UTCEPSS rescore
  24. 2026-05-20 22:37 UTCEPSS rescore
  25. 2026-05-20 22:37 UTCEPSS rescore
  26. 2026-05-20 22:37 UTCEPSS rescore
  27. 2026-05-20 22:37 UTCEPSS rescore
  28. 2026-05-18 21:30 UTCEPSS rescore
  29. 2026-05-18 21:30 UTCEPSS rescore

Publicly available exploits

(10 references)

Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

  • Exploit-DBEDB-52269
    First seen Apr 22, 2025

    OpenSSH server (sshd) 9.8p1 - Race Condition

    Open source ↗
  • GitHub PoCfilipi86/CVE-2024-6387-Vulnerability-Checker
    First seen Jul 9, 2024

    This Python script checks for the CVE-2024-6387 vulnerability in OpenSSH servers. It supports multiple IP addresses, URLs, CIDR ranges, and ports. The script can also read addresses from a file.

    Open source ↗
  • GitHub PoCKarmakstylez/CVE-2024-6387
    First seen Jul 8, 2024

    Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)

    Open source ↗
  • GitHub PoCzgzhang/cve-2024-6387-poc
    First seen Jul 3, 2024

    Reproduction PoC for the OpenSSH signal-handler race condition (32-bit demo).

    Open source ↗
  • GitHub PoCl0n3m4n/CVE-2024-6387
    First seen Jul 2, 2024

    PoC - Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (Scanner and Exploit)

    Open source ↗
  • GitHub PoCxonoxitron/regreSSHion
    First seen Jul 2, 2024

    CVE-2024-6387 (regreSSHion) Exploit (PoC), a vulnerability in OpenSSH's server (sshd) on glibc-based Linux systems.

    Open source ↗
  • GitHub PoCd0rb/CVE-2024-6387
    First seen Jul 2, 2024

    This Python script exploits a remote code execution vulnerability (CVE-2024-6387) in OpenSSH.

    Open source ↗
  • GitHub PoCxaitax/CVE-2024-6387_Check
    First seen Jul 1, 2024

    CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH

    Open source ↗
  • GitHub PoCacrono/cve-2024-6387-poc
    First seen Jul 1, 2024

    32-bit PoC for CVE-2024-6387 — mirror of the original 7etsuo/cve-2024-6387-poc

    Open source ↗
  • GitHub PoClflare/cve-2024-6387-poc
    First seen Jul 1, 2024

    MIRROR of the original 32-bit PoC for CVE-2024-6387 "regreSSHion" by 7etsuo/cve-2024-6387-poc

    Open source ↗

Past incidents using this CVE

(1)

This CVE was central to one or more publicly-documented breaches. Each card links to authoritative reporting at the time of the incident.

  • regreSSHion (OpenSSH)Jul 2024

    Signal-handler race condition in OpenSSH sshd allowed unauthenticated RCE as root on glibc-based Linux systems. Qualys disclosed; affected millions of internet-facing sshd instances.

    Source: Qualys

Frequently asked(5)

What is CVE-2024-6387?
CVE-2024-6387 is a high vulnerability published on July 1, 2024. A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
When was CVE-2024-6387 disclosed?
CVE-2024-6387 was first published in the National Vulnerability Database on July 1, 2024, with the most recent update on May 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2024-6387 actively exploited?
CVE-2024-6387 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 99.9% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2024-6387?
CVE-2024-6387 has a CVSS v3 base score of 8.1 (NVD).
How do I remediate CVE-2024-6387?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2024-6387, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2024-6387

Explore →

Is Your Infrastructure Affected by CVE-2024-6387?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.