CVE-2026-46595 Microsoft Sentinel · KQL

Detect CVE-2026-46595: golang.org/x/crypto/ssh VerifiedPublicKeyCallback Authentication Bypass in Microsoft Sentinel

Detects exploitation of CVE-2026-46595, a critical authentication bypass vulnerability (CVSS 10.0) in golang.org/x/crypto/ssh versions prior to 0.52.0. When VerifiedPublicKeyCallback is used, SSH server implementations fail to enforce permission checks, allowing attackers to authenticate without proper authorization. This is a regression/variant of CVE-2024-45337 and carries a public PoC.

MITRE ATT&CK

Tactic
Initial Access Persistence Lateral Movement

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
union isfuzzy=true
(
  // Detect SSH authentication events where public key auth succeeds anomalously
  CommonSecurityLog
  | where DeviceEventClassID has_any ("sshd", "openssh", "ssh")
  | where Message has_any ("Accepted publickey", "publickey authentication", "keyboard-interactive")
  | where DeviceProduct has_any ("go", "golang", "ssh")
  | extend AuthMethod = extract("auth method: ([\\w-]+)", 1, Message)
  | extend Username = extract("for ([\\w]+) from", 1, Message)
  | extend SourceIP = SourceIP
  | project TimeGenerated, SourceIP, DestinationIP, Username, AuthMethod, Message, Computer
),
(
  // Detect Go SSH server processes with unexpected successful auth
  Syslog
  | where Facility == "auth" or SyslogMessage has "sshd"
  | where SyslogMessage has_any ("Accepted", "publickey", "VerifiedPublicKey")
  | extend Username = extract("for ([\\w]+) from", 1, SyslogMessage)
  | extend SourceIP = extract("from ([\\d\.]+)", 1, SyslogMessage)
  | project TimeGenerated, HostName, SourceIP, Username, SyslogMessage
),
(
  // Detect anomalous SSH lateral movement via process telemetry
  DeviceProcessEvents
  | where FileName in~ ("ssh", "sshd") or ProcessCommandLine has "ssh"
  | where InitiatingProcessFileName has_any ("go", "golang") or FolderPath has "golang"
  | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, RemoteIP
)
| where isnotempty(SourceIP) or isnotempty(RemoteIP)
| summarize Count=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by SourceIP, Username, Computer, HostName
| where Count >= 1
| extend RiskScore = case(Count > 10, "High", Count > 3, "Medium", "Low")
| sort by LastSeen desc
critical severity medium confidence

Detects successful SSH public key authentication events on systems running Go-based SSH servers potentially vulnerable to CVE-2026-46595. Looks for anomalous authentication patterns across CommonSecurityLog, Syslog, and process telemetry that may indicate VerifiedPublicKeyCallback bypass exploitation.

Data Sources

CommonSecurityLogSyslogDeviceProcessEventsSecurityEvent

Required Tables

CommonSecurityLogSyslogDeviceProcessEvents

False Positives & Tuning

  • Legitimate SSH public key authentication by authorized users on Go-based SSH servers
  • Automated deployment pipelines or CI/CD systems using Go SSH libraries for key-based authentication
  • Monitoring agents or security tools built with golang.org/x/crypto/ssh performing health checks
  • SSH multiplexing or persistent connections from developer workstations

Other platforms for CVE-2026-46595

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-46595 PoC: VerifiedPublicKeyCallback Auth Bypass Simulation

    Expected signal: SSH authentication log entry showing 'Accepted publickey for testuser' despite the key not being in the authorized_keys list or having required permissions. Process execution events showing 'id', 'hostname', and echo commands as child processes of the SSH daemon.

  2. Test 2Identify Vulnerable golang.org/x/crypto/ssh Deployments via Binary Inspection

    Expected signal: Process execution events for 'go' binary with 'version -m' arguments, file access events on Go binaries in /usr/local/bin, /usr/bin, /opt, and /proc/*/exe paths.

  3. Test 3SSH Brute-Force Simulation Against Go SSH Server to Test Alerting

    Expected signal: Multiple 'Invalid user' or 'Failed publickey' log entries from the lab host IP, followed by potential 'Accepted publickey' entries if testing against a vulnerable server. Network connection events on the SSH port from the test machine.

Last updated: 2026-06-26 Research depth: standard
References (7)

Unlock Pro Content

Get the full detection package for CVE-2026-46595 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1021.004SSHT1550Use Alternate Authentication Material

Same Tactic: Initial Access

Popular Detections