2 days ago
TRU wins top honours for OpenSSH vulnerability research at Pwnie Awards
The Qualys Threat Research Unit (TRU) has received two awards at the Pwnie Awards in recognition of its recent threat research concerning vulnerabilities in OpenSSH and FreeBSD.
Recognition at Pwnie Awards
The TRU was acknowledged for its discovery of major cybersecurity vulnerabilities, earning the titles 'Epic Achievement' and 'Best Remote Code Execution (RCE)' at the event. These accolades commend the team's work in both regression discovery and the responsible disclosure of high-impact security flaws.
The Pwnie Awards are recognised within the cybersecurity research community as a benchmark for outstanding accomplishments related to the identification and resolution of security vulnerabilities. The dual recognition for TRU underscores the significance of the team's recent findings in the wider industry.
Uncovered vulnerabilities
The Epic Achievement award was given for the uncovering of two notable vulnerabilities within OpenSSH: CVE-2024-6387, informally known as 'regreSSHion', identified as the first pre-authentication RCE vulnerability in OpenSSH in almost two decades.
CVE-2025-26465, a machine-in-the-middle vulnerability affecting OpenSSH's client, which resulted in FreeBSD systems being vulnerable by default for close to ten years.
TRU was also recognised in the Best RCE category for CVE-2024-6387 ('regreSSHion'). This rare vulnerability involved a signal handler race condition in the OpenSSH server's default configuration, potentially enabling exploitable heap corruption. The identification of this flaw has broad significance due to the wide adoption and longstanding reputation of OpenSSH in secure communications.
Company and leadership commentary "Qualys has a rich legacy of groundbreaking vulnerability research that sets us apart, delivering genuine expertise in a crowded market," said Sumedh Thakar, president and CEO of Qualys. "I'm proud to see our TRU team recognised for their vital role in discovering critical vulnerabilities in widely used applications, such as OpenSSH. This work strengthens the security community through responsible disclosure and gives customers a critical edge. It provides premium research that helps security teams understand exploit impacts faster and defend more effectively."
The TRU has consistently collaborated with software vendors on the responsible disclosure of vulnerabilities. This commitment to swift and effective resolution contributes not only to the company's user base but also to broader improvements in cybersecurity standards. Over the last five years, TRU has accumulated 14 Pwnie Award nominations, winning four, evidence of its continued impact in the field. "These high-impact vulnerabilities in a core technology like OpenSSH affect millions of devices worldwide highlighting the importance of meticulous research and responsible disclosure," said Bharat Jogi, Senior Director, Vulnerability and Threat Research, Qualys TRU. "Our collaboration with open-source maintainers and the security community were key to rapid patches and strengthening security baselines. We're grateful to the Pwnie Award organisers and judges for recognising this work, which reflects not only our team's efforts, but a shared commitment to a safer internet."
Broader implications
The impact of these discoveries is notable given OpenSSH's prevalence as a core security technology. The vulnerabilities exposed by TRU, particularly the regreSSHion flaw, could have affected millions of devices. The subsequent collaboration and rapid patch development involved both open-source maintainers and wider industry stakeholders.
The awards also reinforce the necessity of ongoing research and prompt disclosure in ensuring software remains resilient against emerging threats. By making research findings publicly available and liaising with affected parties, TRU demonstrates a model of effective engagement in the cybersecurity community.
Follow us on:
Share on:
