IRONSMITHINTEL
HIGHCVSS8.1
|CVE-2024-31497|Auth: none — mitm or malicious server sufficient|Reboot: not required|Est. 20 minutes for update plus key rotation time|Manual only

WinSCP < 6.3.3 — Credential Theft

WinSCP bundles a vulnerable version of PuTTY's cryptographic library, exposing users to P-521 private key recovery. Update to WinSCP 6.3.3 and rotate any NIST P-521 SSH keys used with WinSCP.

Published Apr 16, 2024 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A malicious SFTP server or network-positioned attacker can observe ECDSA signatures from WinSCP connections and mathematically recover the user's P-521 private key. The key can then be used to authenticate as that user across all systems where the public key is deployed.

How the attack works

WinSCP uses PuTTY's cryptographic library for ECDSA signature generation. The bundled library shares the same P-521 nonce bias vulnerability as PuTTY (CVE-2024-31497). Any SFTP/SCP connection made using a NIST P-521 key can allow a malicious server or MITM attacker to collect signatures and recover the private key.

Am I affected?Quick check

Probably yes if any of these apply:

System Administrators
Developers
DevOps Teams
File Transfer Administrators
Running WinSCP prior to 6.3.3

Affected OS versions

Windows 10Windows 11Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inWinSCP 6.3.3
Real-world incidentsWhat we've seen

WinSCP is widely used by system administrators and developers for SFTP file transfers to servers. Many organisations use P-521 keys for administrator accounts because they are considered secure elliptic curve keys. The PuTTY nonce bias vulnerability undermines this — any key used with affected versions of WinSCP, FileZilla, TortoiseGit, or other tools using PuTTY's library must be rotated.

How to patch

Manual remediation steps

20 minutes for update plus key rotation time

Check WinSCP Version

$winscpPaths = @(
  "C:\Program Files\WinSCP\WinSCP.exe",
  "C:\Program Files (x86)\WinSCP\WinSCP.exe",
  "$env:LOCALAPPDATA\Programs\WinSCP\WinSCP.exe"
)
foreach ($path in $winscpPaths) {
  if (Test-Path $path) {
    (Get-Item $path).VersionInfo.FileVersion
  }
}
# Vulnerable if older than 6.3.3

Identify P-521 Keys Used with WinSCP

# Check WinSCP stored sessions for private key references
# WinSCP sessions are stored in registry:
Get-ChildItem "HKCU:\Software\Martin Prikryl\WinSCP 2\Sessions" |
  ForEach-Object { Get-ItemProperty $_.PSPath } |
  Where-Object { $_.PrivateKeyFile -ne "" } |
  Select-Object PSChildName, PrivateKeyFile

# Also check WinSCP.ini if using portable mode:
if (Test-Path "$env:APPDATA\WinSCP.ini") {
  Select-String -Path "$env:APPDATA\WinSCP.ini" -Pattern "PrivateKeyFile"
}

Rotate P-521 SSH Keys

# If any P-521 keys were used with affected WinSCP versions:
# 1. Generate a new Ed25519 key with PuTTYgen 0.81 or ssh-keygen:
ssh-keygen -t ed25519 -C "admin@company.com"

# 2. Deploy the new public key to all servers
# 3. Remove old P-521 public keys from authorized_keys
# 4. Treat old private keys as compromised and delete them

Update WinSCP

# Via winget:
winget upgrade WinSCP.WinSCP

# Or download from https://winscp.net/eng/download.php

Verify

(Get-Item "C:\Program Files\WinSCP\WinSCP.exe").VersionInfo.FileVersion
# Must show 6.3.3 or later
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-31497NVD