Introduction
Two significant security vulnerabilities have been identified in the OpenSSH secure networking utility suite. If exploited, these flaws could facilitate an active man-in-the-middle (MitM) attack and a denial-of-service (DoS) attack under specific conditions. These vulnerabilities, which impact various versions of OpenSSH, have raised serious security concerns and require immediate attention.
Identified Vulnerabilities
The vulnerabilities, disclosed by the Qualys Threat Research Unit (TRU), are classified as follows:
CVE-2025-26465 (CVSS Score: 6.8) – This flaw affects OpenSSH client versions from 6.8p1 to 9.9p1 (inclusive). A logic error in the software can render it susceptible to an active MitM attack if the
VerifyHostKeyDNSoption is enabled. This misconfiguration allows a malicious entity to impersonate a legitimate server when a client attempts to establish a connection. This issue has existed since its introduction in December 2014.CVE-2025-26466 (CVSS Score: 5.9) – Present in both the OpenSSH client and server, this vulnerability affects versions from 9.5p1 to 9.9p1 (inclusive). It allows an attacker to execute a pre-authentication DoS attack, consuming excessive memory and CPU resources. This issue has been present since August 2023.
Potential Risks and Implications
Security experts emphasize the severe risks associated with these vulnerabilities. According to Saeed Abbasi, manager of product at Qualys TRU, an attacker leveraging CVE-2025-26465 could manipulate an SSH connection by having the client accept the attacker’s key instead of the legitimate server’s key. Such an exploit would compromise the integrity of the SSH session, potentially leading to interception or tampering before the user detects the breach.
A successful MitM attack could allow cybercriminals to hijack SSH sessions and gain unauthorized access to sensitive data. However, it is noteworthy that the VerifyHostKeyDNS option, which triggers this vulnerability, is disabled by default. Despite this, FreeBSD enabled this option by default from September 2013 until March 2023, increasing the risk for systems running this Unix-like operating system.
In contrast, the CVE-2025-26466 vulnerability can severely impact system availability. Continuous exploitation can prevent administrators from accessing their servers and block legitimate users, effectively disrupting essential operations and rendering systems inoperable.
Remediation and Patches
To mitigate these risks, OpenSSH maintainers have released an updated version, OpenSSH 9.9p2, which addresses both vulnerabilities. Users and system administrators are strongly advised to upgrade to this latest version to safeguard their systems against potential exploitation.
Historical Context
These vulnerabilities follow another critical OpenSSH flaw, dubbed regreSSHion (CVE-2024-6387, CVSS score: 8.1), which was disclosed over seven months ago by Qualys. That particular vulnerability could have enabled unauthenticated remote code execution with root privileges on glibc-based Linux systems, further emphasizing the need for constant vigilance and timely updates.
Conclusion
The discovery of these OpenSSH vulnerabilities highlights the importance of proactive security measures in network management. Organizations and users relying on OpenSSH should promptly update their software to mitigate potential security threats. Maintaining a secure configuration, disabling unnecessary options, and monitoring for patches remain crucial in protecting systems from emerging cyber threats.
0 Comments