CyberWatch

PuTTY Vulnerable to Private Key Compromise Attack

By

Matthew Fagan and Alexander Marshall, Access Point Consulting

By

Access Point Consulting

Summary

PuTTY, a popular SSH and Telnet client, is currently subject to a vulnerability that can allow an attacker to compromise private keys. This vulnerability, identified as CVE-2024-31497 (CVSSv3: 5.9), affects 521-bit ECSA keys, and allows an attacker to recover a user’s NIST P-521 secret key utilizing a quick attack in roughly 60 signatures. The attacker, after compromising the private key, can log into any service for which that key is used.

Impact Assessment

This vulnerability can only compromise private keys when the key type is 521-bit ECDSA. If your organization does not utilize this key type, it is not subject to this vulnerability.

Affected Software:

  • PuTTy Secure Shell (SSH) (0.68-0.80)
  • FileZilla (3.24.1 - 3.66.5)
  • WinSCP (5.9.5 - 6.3.2)
  • TortoiseGit (2.4.0.2 - 2.15.0)
  • TortoiseSVN (1.10.0 - 1.14.6)

What It Means for You

If you or your organization utilize PuTTY and 521-bit ECDSA keys, changing key types or performing a patch is essential for remediation.

Remediation

  1. Updating to version .81 of PuTTY will remediate this vulnerability.
  2. Updating any version after the following versions will remediate the other affected software, FileZilla 3.67.0, WinSCP 6.3.3, TortoiseGit 2.15.0.1, and TortoiseSVN 1.14.6.

Mitigation

Utilizing another key type other than 521-bit ECDSA keys will mitigate this vulnerability.

Business Implications

Exploitation of this vulnerability can allow an attacker to access/interact with any services that utilize the compromised key and the consequences depend entirely on which services use the compromised key. Denial of service and unauthorized access to services are likely consequences, which can cause business inefficiencies and require an incident response effort.

Access Point Consulting Recommends

  1. Patch: Patching this vulnerability is the easiest way to perform mitigation.
  2. Mitigate: If utilizing the 521-bit ECDSA key, it is possible to mitigate this vulnerability by discontinuing use of that key type.
  3. Generate new keys: If your organization has updated to a non-vulnerable version of PuTTY it is recommended to also generate new keys as it is possible they could already be compromised.

Associated Bulletins

PuTTY SSH client flaw allows recovery of cryptographic private keys (bleepingcomputer.com)

CVE-2024-31497 | Tenable®

NVD - CVE-2024-31497 (nist.gov)

Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack (thehackernews.com)

Resources

Latest Resources

Resources

CyberWatch

April 2, 2025

Scott "Monty" Montgomery (Island) | Navigating CMMC compliance for organizations of every size

Scott Montgomery, known as Monty, joined the CyberWatch Expert Series podcast to discuss his extensive background in cybersecurity, particularly in building and designing network security tools for high-assurance environments like the Department of Defense (DoD) and the intelligence community. His experience includes significant tenure at McAfee (now Trellix), which led him to his current role at Island, where he focuses on innovative approaches to cybersecurity compliance.

Find out more
March 19, 2025

Michael Sviben (DomainGuard) | Defending against phishing and building proactive security awareness

Cybersecurity threats evolve rapidly, and one tactic consistently rises above the rest: phishing. In this episode of CyberWatch, Michael Sviben, co-founder of DomainGuard, discusses why phishing remains so effective, how businesses and individuals become targets, and what you can do to stay vigilant.

Find out more
March 5, 2025

David Habib (Brightspot) | Building a culture of cybersecurity awareness

Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.

Find out more