🟡 Medium | Source: Microsoft Security Response Center
A vulnerability in OpenSSH versions prior to 10.4 means that the internal SFTP subsystem only processes the first 9 command-line arguments, silently ignoring any beyond that. This could result in security-relevant arguments — such as those restricting file access or enforcing chroot — being overlooked, potentially weakening the intended security posture of SFTP connections. The issue is particularly relevant in environments where OpenSSH is deployed on Azure virtual machines or services.
Security Architect’s Take: Audit your Azure VM and container deployments to identify any OpenSSH instances running versions prior to 10.4, paying close attention to SFTP configurations that rely on more than 9 command-line arguments. Prioritise patching to OpenSSH 10.4 or later and review your sshd_config SFTP subsystem arguments to confirm all intended security constraints are actually being applied.