Full Report
Microsoft is now testing a fix for a longstanding known issue that is breaking SSH connections on some Windows 11 22H2 and 23H2 systems. [...]
Analysis Summary
This summary focuses on the primary vulnerability detailed in the provided text—the Windows 11 SSH bug—while also noting the related OpenSSH vulnerabilities mentioned.
# Vulnerability: Windows 11 SSH Connection Failure Due to ACL Issue / OpenSSH MitM and DoS Flaws
## CVE Details
- CVE ID: Not explicitly specified for the Windows 11 bug itself. (The text only mentions Microsoft testing a fix.)
- CVSS Score: Not specified.
- CWE: Not specified for the Windows 11 issue. (Related OpenSSH CVEs are mentioned below.)
## Affected Systems
- Products: Windows 11 (Specific build numbers mentioned for testing fixes: OS builds 22621.4391 and 22631.4391 preview).
- Versions: Unspecified, but implied current/recent versions of Windows 11 where OpenSSH is utilized.
- Configurations: Systems using the built-in OpenSSH server (`sshd.exe`).
## Vulnerability Description
A bug in Windows 11 is causing the SSH service (`sshd.exe`) to fail without detailed logging, requiring manual intervention to restart the process. The root cause appears related to incorrect Access Control List (ACL) permissions on specific directories required by the SSH service.
*(Note: The article also mentions two related OpenSSH vulnerabilities: CVE-2025-26465 (MitM flaw) and CVE-2025-26466 (DoS bug).)*
## Exploitation
- Status: **Not exploited** (The Windows 11 bug appears to be a functional failure, not a security vulnerability leading to remote code execution, though the workaround involves security permissions).
- Complexity: **N/A** (For the Windows 11 functional bug).
- Attack Vector: **N/A** (Relates to service failure/misconfiguration).
**For related OpenSSH CVEs (if applicable):**
- **CVE-2025-26465 (MitM):** Exploitation allows attackers to hijack SSH sessions to steal credentials, inject commands, and exfiltrate data when `VerifyHostKeyDNS` is enabled on clients.
- **CVE-2025-26466 (DoS):** Denial-of-Service attack.
## Impact
- Confidentiality: **Potentially high** (If the Windows 11 service failure results in insecure fallback states or if successful exploitation of related OpenSSH flaws occurs).
- Integrity: **Medium/High** (Due to potential unauthorized command injection via OpenSSH MitM).
- Availability: **Medium** (The Windows 11 SSH service stops functioning, causing service disruption).
## Remediation
### Patches
- Microsoft is **testing a fix** for the Windows 11 SSH connection bug, expected in future OS builds.
- OpenSSH project has released security updates addressing CVE-2025-26465 and CVE-2025-26466.
### Workarounds (For Windows 11 SSH Failure)
Affected users must manually update ACL permissions on the following directories using an Administrator PowerShell session:
1. `C:\ProgramData\ssh`
2. `C:\ProgramData\ssh\logs`
Permissions must be set to grant **Full Control** for `SYSTEM` and `Administrators` group, and **Read Access** for `Authenticated Users`. Microsoft provided a specific PowerShell script to implement these changes.
## Detection
- **Indicators of Compromise (Windows 11 Bug):** SSH connections failing unexpectedly; `sshd.exe` service stopping without clear error logs.
- **Detection Methods (Windows 11 Bug):** Monitoring service health and reviewing system event logs for service crashes or unexpected stops related to `sshd.exe`.
## References
- Vendor Advisory (Microsoft update testing): hxxps://www.bleepingcomputer.com/news/microsoft/microsoft-testing-fix-for-windows-11-bug-breaking-ssh-connections/
- OpenSSH Flaw Details: hxxps://www.bleepingcomputer.com/news/security/new-openssh-flaws-expose-ssh-servers-to-mitm-and-dos-attacks/