PatchSiren cyber security CVE debrief

CVE-2023-28531 Netapp CVE debrief

CVE-2023-28531 is a critical OpenSSH issue in which ssh-add can add smartcard keys to ssh-agent without the intended per-hop destination constraints. The supplied corpus says the earliest affected version is 8.9, and NVD lists the vulnerable OpenSSH range as 8.9 through 9.2. Because the issue touches SSH authentication and agent key handling, organizations that rely on constrained agent workflows should treat this as a high-priority patch item.

Vendor: Netapp
Product: CVE-2023-28531
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-03-17
Original CVE updated: 2026-05-12
Advisory published: 2023-03-17
Advisory updated: 2026-05-12

Who should care

Administrators and users of OpenSSH 8.9-9.2, especially environments using ssh-agent, smartcard-backed keys, jump hosts, bastions, or per-hop SSH restrictions. Also review downstream appliances or distributions that ship OpenSSH or backported fixes, including the NetApp-related CPEs listed by NVD.

Technical summary

The source description states that ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. NVD’s version data narrows the affected range to 8.9 inclusive through 9.3 exclusive. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting a critical impact profile. The corpus also lists several NetApp CPEs alongside OpenSSH, so downstream product exposure should be checked rather than assuming upstream-only impact.

Defensive priority

Urgent. The published severity is Critical (9.8), the issue affects a core SSH trust boundary, and the corpus indicates no privilege or user interaction is required. Patch or upgrade as soon as possible, and do not rely on constrained-agent controls until remediation is verified.

Recommended defensive actions

Upgrade OpenSSH to 9.3 or later on all affected systems.
Audit hosts and appliances for OpenSSH 8.9-9.2 or downstream packages that may include backported code.
Review any use of ssh-agent with smartcard keys and per-hop destination constraints, especially on bastions and jump hosts.
Prioritize remediation on internet-reachable SSH infrastructure and administrative endpoints first.
Apply vendor-specific advisories for downstream products listed in the source corpus, including NetApp-related advisories and distro notices.
Verify patch status across Linux distributions and appliances rather than relying on package names alone.

Evidence notes

The supplied corpus names OpenSSH before 9.3 as affected and states the earliest affected version is 8.9. NVD’s CPE criteria specify OpenSSH 8.9 through 9.3 exclusive. The corpus does not provide exploit code or confirm active exploitation, and KEV is absent. Because the supplied vendor field says Netapp while the primary vulnerability description names OpenSSH, this debrief treats OpenSSH as the primary affected component and notes the NetApp CPE entries only as listed in NVD.

Official resources

CVE-2023-28531 CVE record
CVE.org
CVE-2023-28531 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Release Notes
Source reference
af854a3a-2127-422b-91ae-364da2661108
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Publicly disclosed and recorded in CVE on 2023-03-17, with earlier upstream mailing-list context referenced in the corpus on 2023-03-15.