Full Report
Review this Cybersecurity Threat Advisory to learn how to mitigate your risk from two critical OpenSSH vulnerabilities.
Analysis Summary
# Vulnerability: OpenSSH MitM and DoS Vulnerabilities (CVE-2025-26465 & CVE-2025-26466)
## CVE Details
- CVE ID: CVE-2025-26465, CVE-2025-26466
- CVSS Score: Not explicitly provided; severity inferred based on impact (High potential due to MitM and DoS).
- CWE: Not explicitly detailed in the text.
## Affected Systems
- Products: OpenSSH Client and Server
- Versions: Multiple versions of OpenSSH prior to 9.9p2.
- Configurations:
- CVE-2025-26465 specifically affects configurations where `VerifyHostKeyDNS` option is enabled on the client.
- CVE-2025-26466 is exploitable regardless of the `VerifyHostKeyDNS` setting.
## Vulnerability Description
Two vulnerabilities exist within OpenSSH.
**CVE-2025-26465** (Client-side): Allows a Man-in-the-Middle (MitM) attack when the `VerifyHostKeyDNS` option is enabled. An attacker can trick the client into accepting the wrong host key, leading to session interception or manipulation.
**CVE-2025-26466** (Client and Server): Can be exploited to launch Denial-of-Service (DoS) attacks by asymmetrically consuming CPU and memory resources. Exploitation can occur without user interaction, even if no SSHFP record exists, and does not require authentication.
## Exploitation
- Status: PoC available (Mentioned that exploit approaches are published).
- Complexity: Medium (Requires specific configuration for CVE-2025-26465, but DoS is highly accessible).
- Attack Vector: Network (Implied, as MitM/DoS attacks over the network are the primary vector).
## Impact
- Confidentiality: High (MitM allows interception or manipulation of transferred data).
- Integrity: High (MitM allows tampering with the session).
- Availability: Medium (DoS attacks can be launched by consuming resources).
## Remediation
### Patches
- Update OpenSSH to version **9.9p2** or later.
### Workarounds
- Use data encryption to limit the immediate impact of intercepted data.
- (Implied Workaround for CVE-2025-26465): Ensure `VerifyHostKeyDNS` is disabled if updating immediately is not possible, though the second vulnerability is unaffected by this setting.
## Detection
- Detection methods are not explicitly detailed, but indicators could include:
- Unexpected host key mismatches or authentication failures for connections expected to use DNS verification.
- Abnormal resource consumption (CPU/memory spikes) on SSH servers.
- Mitigation suggested includes keeping malware-detection software up to date and adopting redundancy.
## References
- Vendor advisories: Mentioned via linked articles.
- Relevant links - defanged:
- hxxps://www.msn.com/en-us/money/other/fressh-bugs-undiscovered-for-years-threaten-openssh-security/ar-AA1zi6qF?ocid=BingNewsVerp
- hxxps://www.securityweek.com/openssh-patches-vulnerabilities-allowing-mitm-dos-attacks/
- hxxps://www.databreachtoday.com/exploit-approaches-published-for-2-new-openssh-bugs-a-27544
- hxxps://smartermsp.com/cybersecurity-threat-advisory-new-openshh-vulnerabilities/