Wins for Epic Achievement and Best RCE spotlight Qualys’ industry-leading research into critical OpenSSH vulnerabilities, reinforcing its leadership in global cybersecurity innovation
Qualys, Inc. (NASDAQ: QLYS), a leading provider of disruptive cloud-based IT, security and compliance solutions, today announced its Threat Research Unit (TRU) won two top honors at the Pwnie Awards. The TRU team received awards for “Epic Achievement” and “Best Remote Code Execution (RCE)” at DefCon 2025, underscoring their leadership in cybersecurity research and commitment to responsible vulnerability disclosure.
The Pwnie Awards, a prestigious benchmark in global security research, celebrate extraordinary contributions to identifying and resolving critical vulnerabilities. Winning two awards highlights the exceptional caliber of Qualys’ TRU team and its strategic focus on safeguarding organisations worldwide.
Qualys won Pwnie Awards in the following categories:
Epic Achievement — for uncovering two unprecedented vulnerabilities in OpenSSH:
CVE-2024-6387 (regreSSHion) – The first pre-authentication RCE in OpenSSH in nearly 20 years.
CVE-2025-26465 – A machine-in-the-middle attack against OpenSSH’s client, leaving FreeBSD vulnerable by default for almost a decade.
Best RCE — a vulnerability in OpenSSH:
CVE-2024-6387 (regreSSHion) – A rare signal handler race condition in OpenSSH’s server (default configuration) that leads to exploitable heap corruption, shaking the foundations of one of the most secure and trusted software projects.
“Qualys has a rich legacy of groundbreaking vulnerability research that sets us apart, delivering genuine expertise in a crowded market,” said Sumedh Thakar, president and CEO of Qualys. “I’m proud to see our TRU team recognised for their vital role in discovering critical vulnerabilities in widely used applications, such as OpenSSH. This work strengthens the security community through responsible disclosure and gives customers a critical edge. It provides premium research that helps security teams understand exploit impacts faster and defend more effectively.”
Qualys TRU is globally respected for its dedication to uncovering potentially damaging vulnerabilities in widely utilised software applications. By collaborating with vendors on the responsible disclosure process, the TRU team ensures rapid response and effective resolution, benefiting customers and the broader cybersecurity ecosystem. In the last five years, TRU has been nominated for 14 Pwnie Awards with four award wins, further reinforcing Qualys’ position as a trusted innovator in securing modern digital infrastructure—delivering research that drives both industry advancement and customer value.
“These high-impact vulnerabilities in a core technology like OpenSSH affect millions of devices worldwide highlighting the importance of meticulous research and responsible disclosure,” said Bharat Jogi, senior director, Vulnerability and Threat Research, Qualys TRU. “Our collaboration with open-source maintainers and the security community were key to rapid patches and strengthening security baselines. We’re grateful to the Pwnie Award organisers and judges for recognising this work, which reflects not only our team’s efforts, but a shared commitment to a safer internet.”
Additional Resources:
Read our blog post, “Two Pwnie Awards, One Crucial Lesson: What Our OpenSSH Research Reveals About Cyber Defense in 2025”
Learn more about Qualys Threat Research Unit
###
About Qualys
Qualys, Inc. (NASDAQ: QLYS) is a leading provider of disruptive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organisations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.
The Qualys Enterprise TruRisk Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Oracle Cloud Infrastructure, Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organisations. For more information, please visit http://www.qualys.com.
Qualys, Qualys VMDR®, Qualys TruRisk and the Qualys logo are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.