Overcoming “diffie-hellman-group1-sha1“ vulnerability in the SSH

roo_ohit80 · ‎02-05-2016

Dear Experts,

We currently have Cisco 3925E router and using (C3900e-UNIVERSALK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1). In order to pass PCI DSS metrics we need to pass their vulnerability test and nmap scan is showing “diffie-hellman-group1-sha1“ vulnerability in the SSH (output below)

nmap -Pn xx.xx.xx.xx --script ssh2-enum-algos -p 22

Starting Nmap 5.51 ( http://nmap.org ) at 2015-12-16 11:05 GMT

Nmap scan report for (xx.xx.xx.xx)

Host is up (0.062s latency).

PORT STATE SERVICE

22/tcp open ssh

| ssh2-enum-algos:

| kex_algorithms (3)

| diffie-hellman-group-exchange-sha1

| diffie-hellman-group14-sha1

| diffie-hellman-group1-sha1

...

Can you please confirm how can i resolve this vulnerability. If i have to upgrade the IOS then please specify which version should i opt. Much appreciated.

George Paraschivescu · ‎06-07-2017

Hi. Have you found the solution to this ?

Overcoming “diffie-hellman-group1-sha1“ vulnerability in the SSH

no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellma...

Cisco ISE related Vulnerability (CVE-2025-20286)

Re: Cisco ISE related Vulnerability (CVE-2025-20281 & 20282)

Overcoming Integration Hurdles In Multi-layer SDN

Acquiring Vulnerabilities per Asset