Full Report
Two newly uncovered security flaws in the open-source OpenSSH suite tracked as CVE-2025-26465 and CVE-2025-26466 could enable adversaries to launch machine-in-the-middle/man-in-the-middle (MitM) or denial-of-service (DoS) attacks. With the growing number of weaponized CVEs, proactive detection of vulnerability exploitation is more critical than ever. In just the first two months of 2025, 6,127 new vulnerabilities have […] The post CVE-2025-26465 & CVE-2025-26466 Vulnerabilities Expose Systems to Man-in-the-Middle and DoS Attacks appeared first on SOC Prime.
Analysis Summary
# Vulnerability: OpenSSH MitM and DoS Flaws (CVE-2025-26465 & CVE-2025-26466)
## CVE Details
- CVE ID: CVE-2025-26465 and CVE-2025-26466
- CVSS Score: 6.8 (for CVE-2025-26465, severity not explicitly stated for the other, assumed Medium/High based on impact)
- CWE: Not explicitly specified in the summary, but relates to authentication bypass (for 26465) and resource exhaustion (for 26466).
## Affected Systems
- Products: OpenSSH Suite (Client and Server components)
- Versions:
- CVE-2025-26465: Versions 6.8p1 through 9.9p1
- CVE-2025-26466: Versions 9.5p1 through 9.9p1
- Configurations:
- CVE-2025-26465 is primarily relevant when `VerifyHostKeyDNS` is enabled on the client side. This setting was enabled by default on FreeBSD between September 2013 and March 2023.
## Vulnerability Description
Two separate flaws exist within the OpenSSH suite:
1. **CVE-2025-26465 (MitM):** Allows an adversary to execute a successful Man-in-the-Middle (MitM) attack against the SSH client if the `VerifyHostKeyDNS` option is active. The client may mistakenly accept an attacker's key as legitimate, allowing interception or tampering of the SSH session without user awareness.
2. **CVE-2025-26466 (DoS):** Affects both the client and server components and allows for a pre-authentication Denial of Service (DoS) attack. Repeated exploitation can disrupt server availability.
## Exploitation
- Status: Details on real-world exploitation are not provided, but the disclosure suggests active research findings.
- Complexity: Not explicitly stated, but MitM often implies Medium complexity, while pre-authentication DoS can be Low to Medium.
- Attack Vector: Implied Network for both, as they relate to SSH communication protocols.
## Impact
- Confidentiality: High (for CVE-2025-26465 due to key interception)
- Integrity: High (for CVE-2025-26465 due to session tampering)
- Availability: Medium/High (for CVE-2025-26466 due to DoS)
## Remediation
### Patches
- Update to **OpenSSH version 9.9p2**, which contains fixes for both CVE-2025-26465 and CVE-2025-26466.
### Workarounds
- No explicit workarounds are listed, but for CVE-2025-26465, disabling the `VerifyHostKeyDNS` option on affected clients would remove the condition for the MitM exploit, although this is not a full patch.
## Detection
- Indicators of Compromise (IoCs) specific to these CVEs are not provided in the summary.
- Detection should focus on monitoring SSH connection initiation sequences for anomalous behavior that might indicate pre-authentication DoS attempts or unexpected key exchanges if DNS verification is utilized.
## References
- Vendor Advisory (OpenSSH Release Notes): hxxps://www.openssh.com/releasenotes.html
- Qualys Research: hxxps://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466