@stefano Several years ago I encountered something similar. Got a notification from the security company that their internal scans had identified an insecure version of OpenSSH on the network. After a bit of poking, my team identified the host in question. It was the security company's OWN APPLIANCE.

We promptly turned the device off and stopped paying them.