CVE-2023-48795, known as Terrapin, is a protocol-level integrity flaw in SSH transport/handshake processing affecting OpenSSH before 9.6 and numerous other SSH implementations. The issue arises during SSHv2 extension negotiation because the SSH Binary Packet Protocol handshake can be manipulated via sequence-number desynchronization. An active man-in-the-middle attacker can inject unauthenticated SSH_MSG_IGNORE packets during the handshake, alter sequence number state, and then cause one or more early encrypted packets from the server to be omitted without detection. This enables prefix truncation of the extension negotiation message and can silently disable or downgrade negotiated security features. The attack is practically effective against connections using chacha20-poly1305@openssh.com and, in CBC configurations, against Encrypt-then-MAC modes using *-etm@openssh.com MAC algorithms. The content also notes that this generic protocol weakness can expose implementation-specific weaknesses in some products.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No valid public exploits. Mallory filtered out 6 candidates as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named OpenSSH vulnerability (Terrapin) cited as one of multiple unpatched issues affecting the exposed OpenSSH 8.0 service on the Romanian host.
An OpenSSH Terrapin prefix truncation integrity bypass vulnerability listed among the known CVEs exposed by the compromised Spanish server.
OpenSSH transport-protocol weakness (pre-9.6, with certain extensions) allowing integrity-check bypass and downgrade of security features (Terrapin); Aruba upgraded OpenSSH to mitigate.
The Terrapin SSH man-in-the-middle vulnerability, mentioned as having public proof-of-concept code but assessed by the article as an improbable cause of the Zyxel-related ransomware intrusions.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.