In Oct 2018, a critical flaw that permitted an attacker to bypass authentication in specific versions of libssh between 0.6 and 0.8. This vulnerability reference is CVE-2018-10933.
During the authentication phase the server accepts an SSH2_MSG_USERAUTH_SUCCESS message in place of the expected SSH2_MSG_USERAUTH_REQUEST message. Upon receipt of this message the server successfully authenticates the user and therefore the attacker could successfully authenticate without any credentials.
Vectra's Security Research and Engineering teams have investigated all aspects of the Cognito suite of products and determined that Cognito is not affected by this issue. libssh is not used in any portion of the Cognito software.
Please reach out to firstname.lastname@example.org if you have any further questions.