https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259416#M43835 <P>Hi,</P> <P>just stumbled over this statement in&nbsp;<A href="https://support.checkpoint.com/results/sk/sk183394" target="_blank">https://support.checkpoint.com/results/sk/sk183394</A>&nbsp; :</P> <P><FONT size="2"><EM>Installation of any Jumbo Hotfix Accumulator Take or upgrade to a higher version will restore the default Gaia OS configuration (will implicitly enable the parameter "<CODE>AllowAgentForwarding</CODE>" again).</EM></FONT></P> <P><FONT size="2"><EM><STRONG>Therefore, you must perform this procedure again.</STRONG></EM></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Since this a requires a lot of effort if you have a huge CP install base.</P> <P>Will this somehow make it into a clish config parameter and survives upgrades?</P> <P>Thanks</P> <P>Regards</P> <P>&nbsp;</P> Wed, 08 Oct 2025 11:21:52 GMT S_E_ 2025-10-08T11:21:52Z https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259416#M43835 <P>Hi,</P> <P>just stumbled over this statement in&nbsp;<A href="https://support.checkpoint.com/results/sk/sk183394" target="_blank">https://support.checkpoint.com/results/sk/sk183394</A>&nbsp; :</P> <P><FONT size="2"><EM>Installation of any Jumbo Hotfix Accumulator Take or upgrade to a higher version will restore the default Gaia OS configuration (will implicitly enable the parameter "<CODE>AllowAgentForwarding</CODE>" again).</EM></FONT></P> <P><FONT size="2"><EM><STRONG>Therefore, you must perform this procedure again.</STRONG></EM></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Since this a requires a lot of effort if you have a huge CP install base.</P> <P>Will this somehow make it into a clish config parameter and survives upgrades?</P> <P>Thanks</P> <P>Regards</P> <P>&nbsp;</P> Wed, 08 Oct 2025 11:21:52 GMT https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259416#M43835 S_E_ 2025-10-08T11:21:52Z https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259420#M43836 <P>Excellent point there&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/5469">@S_E_</a>&nbsp;</P> <P>I just checked my cluster and single gw lab and all of them show below. Cluster is R81.20 and cp-gw is R82 (all latest jumbo)</P> <P>Andy</P> <P>[Expert@CP-GW:0]# sshd -T -C addr=localhost | grep -i "AllowAgentForwarding"<BR />allowagentforwarding yes<BR />[Expert@CP-GW:0]#</P> Wed, 08 Oct 2025 11:55:11 GMT https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259420#M43836 the_rock 2025-10-08T11:55:11Z https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259435#M43837 <P>While providing clish for said parameter is an RFE, I’m curious why we don’t fix the default sshd_config here, which seems simple enough.<BR />Let me ask.&nbsp;</P> Wed, 08 Oct 2025 13:20:02 GMT https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259435#M43837 PhoneBoy 2025-10-08T13:20:02Z https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259474#M43838 <P>Looks like we plan to release a fix integrated into the jumbo for this: PMTR-117744<BR />It isn’t in the jumbo hotfix yet.</P> Wed, 08 Oct 2025 16:44:11 GMT https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259474#M43838 PhoneBoy 2025-10-08T16:44:11Z https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259476#M43839 <P>Yep. My company's vulnerability management team has been flagging this issue and wasting a lot of time having us "fix" it one cluster at a time only for it to be undone in our next round of jumbos. We pushed for CFG to put it in a jumbo directly.</P> <P>I still can't believe how much time we wasted on CVE-2023-48795 ("Terrapin"), which isn't even a vulnerability in the first place.</P> Wed, 08 Oct 2025 17:14:43 GMT https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259476#M43839 Bob_Zimmerman 2025-10-08T17:14:43Z https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259477#M43840 <P>Good news!</P> Wed, 08 Oct 2025 17:20:29 GMT https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259477#M43840 the_rock 2025-10-08T17:20:29Z https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259513#M43841 <P>Sounds good. Thanks.&nbsp;</P> Thu, 09 Oct 2025 05:40:52 GMT https://community.checkpoint.com/t5/General-Topics/CVE-2025-32728-permanent-solution/m-p/259513#M43841 S_E_ 2025-10-09T05:40:52Z