CyberWatch
Expert Insights
Webinars & Events
Press
Emerging Voices CyberWatch 
|
.
CyberWatch

PuTTY Vulnerable to Private Key Compromise Attack

By

Matthew Fagan and Alexander Marshall, Access Point Consulting

By

Access Point Consulting

Summary

PuTTY, a popular SSH and Telnet client, is currently subject to a vulnerability that can allow an attacker to compromise private keys. This vulnerability, identified as CVE-2024-31497 (CVSSv3: 5.9), affects 521-bit ECSA keys, and allows an attacker to recover a user’s NIST P-521 secret key utilizing a quick attack in roughly 60 signatures. The attacker, after compromising the private key, can log into any service for which that key is used.

Impact Assessment

This vulnerability can only compromise private keys when the key type is 521-bit ECDSA. If your organization does not utilize this key type, it is not subject to this vulnerability.

Affected Software:

  • PuTTy Secure Shell (SSH) (0.68-0.80)
  • FileZilla (3.24.1 - 3.66.5)
  • WinSCP (5.9.5 - 6.3.2)
  • TortoiseGit (2.4.0.2 - 2.15.0)
  • TortoiseSVN (1.10.0 - 1.14.6)

What It Means for You

If you or your organization utilize PuTTY and 521-bit ECDSA keys, changing key types or performing a patch is essential for remediation.

Remediation

  1. Updating to version .81 of PuTTY will remediate this vulnerability.
  2. Updating any version after the following versions will remediate the other affected software, FileZilla 3.67.0, WinSCP 6.3.3, TortoiseGit 2.15.0.1, and TortoiseSVN 1.14.6.

Mitigation

Utilizing another key type other than 521-bit ECDSA keys will mitigate this vulnerability.

Business Implications

Exploitation of this vulnerability can allow an attacker to access/interact with any services that utilize the compromised key and the consequences depend entirely on which services use the compromised key. Denial of service and unauthorized access to services are likely consequences, which can cause business inefficiencies and require an incident response effort.

Access Point Consulting Recommends

  1. Patch: Patching this vulnerability is the easiest way to perform mitigation.
  2. Mitigate: If utilizing the 521-bit ECDSA key, it is possible to mitigate this vulnerability by discontinuing use of that key type.
  3. Generate new keys: If your organization has updated to a non-vulnerable version of PuTTY it is recommended to also generate new keys as it is possible they could already be compromised.

Associated Bulletins

PuTTY SSH client flaw allows recovery of cryptographic private keys (bleepingcomputer.com)

CVE-2024-31497 | Tenable®

NVD - CVE-2024-31497 (nist.gov)

Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack (thehackernews.com)

Resources

Latest Resources

February 5, 2025

Simple, Cost-Effective Ways for SMBs to Achieve Compliance

For small and medium-sized businesses (SMBs), regulatory and industry compliance can feel like more of a burden than necessary. Many of the most critical compliance measures are also the most straightforward to implement. Below are 5 practical steps any SMB can take to meet regulatory demands without breaking the bank.

Find out more

March 5, 2025

David Habib (Brightspot) | Building a culture of cybersecurity awareness

Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.

Find out more

February 24, 2025

Access Point Consulting Announces MSSP Partnership with Fortinet

Access Point Consulting is pleased to announce that it has become a Fortinet Managed Security Services Provider (MSSP) partner. This partnership places Access Point Consulting among a select group of providers in the Mid-Atlantic region that can offer Fortinet security solutions as both a Certified Fortinet Partner and a Fortinet MSSP.

Find out more
Resources

CyberWatch

March 5, 2025

David Habib (Brightspot) | Building a culture of cybersecurity awareness

Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.

Find out more
February 26, 2025

Lori Keller (Access Point Consulting) | Project management’s role in cybersecurity

Cybersecurity projects don’t just require technical expertise—they demand structured planning, risk management, and coordination across teams. Lori Keller, a practitioner in cybersecurity project management, joins CyberWatch to discuss how strong project management practices drive security success.

Find out more
February 19, 2025

Adithya Vellal (Petra Security) | Advancing cybersecurity maturity in the cloud

Cybersecurity maturity isn’t just about implementing tools—it’s about developing repeatable processes that align security with business objectives. Adithya Vellal, founder of Petra Security, joins CyberWatch to discuss how organizations can take a structured approach to cybersecurity, reduce risk, and communicate security priorities effectively.

Find out more

Peace of mind starts here, at Access Point Consulting

Meet with an Expert