Full Report
Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions. The vulnerabilities, detailed by the Qualys Threat Research Unit (TRU), are listed below - CVE-2025-26465 (CVSS score: 6.8) - The
Analysis Summary
# Vulnerability: OpenSSH Logic Flaws Allowing MitM and Denial-of-Service Attacks
## CVE Details
- CVE ID: CVE-2025-26465, CVE-2025-26466 (Note: The article erroneously listed CVE-2025-26465 twice with different scores/impacts; the second is assumed to be CVE-2025-26466 based on description)
- CVSS Score: 6.8 (Medium) for CVE-2025-26465; 5.9 (Medium) for the DoS vulnerability (assumed CVE-2025-26466)
- CWE: Not explicitly mentioned in the summary.
## Affected Systems
- Products: OpenSSH client and server
- Versions:
- **CVE-2025-26465 (MitM):** Versions 6.8p1 to 9.9p1 (inclusive)
- **CVE-2025-26466 (DoS):** Versions 9.5p1 to 9.9p1 (inclusive)
- Configurations:
- **CVE-2025-26465:** Requires the `VerifyHostKeyDNS` option to be enabled on the client side. This option was default on FreeBSD until March 2023.
- **CVE-2025-26466:** Affects both client and server.
## Vulnerability Description
Two flaws were identified in OpenSSH by Qualys TRU:
1. **CVE-2025-26465 (MitM):** A logic error exists in the OpenSSH client when `VerifyHostKeyDNS` is enabled. This allows a malicious attacker positioned in the middle of the connection to impersonate the legitimate server and present their own key, potentially leading the client to trust the attacker's key instead of the genuine server's key.
2. **CVE-2025-26466 (DoS):** A vulnerability affecting both client and server components that can be triggered repeatedly, leading to excessive memory and CPU consumption, resulting in a Denial of Service condition.
## Exploitation
- Status: Not explicitly stated as exploited in the wild; PoC availability is implied through research disclosure.
- Complexity:
- MitM (CVE-2025-26465): Depends on configuration and network position.
- DoS (CVE-2025-26466): Repeated exploitation causes DoS.
- Attack Vector:
- MitM: Likely Network.
- DoS: Likely Network.
## Impact
- Confidentiality: High (Potential session interception/tampering via MitM)
- Integrity: High (Potential session hijacking/tampering via MitM)
- Availability: Medium (DoS attack leads to service disruption)
## Remediation
### Patches
- OpenSSH maintainers addressed both vulnerabilities in **OpenSSH version 9.9p2**.
### Workarounds
- For **CVE-2025-26465 (MitM)**: Ensure the `VerifyHostKeyDNS` option is disabled in client configurations (it is disabled by default in most recent configurations, but check systems where it was previously enabled, such as older FreeBSD installations).
## Detection
- Detection methods are not detailed in the provided text.
- Indicators of Compromise (IoC): Unauthorized key acceptance during connection initiation for MitM; unusual spikes in CPU/memory usage on SSH servers/clients for DoS.
## References
- Vendor Advisories: OpenSSH releases notes (linked as `https://www.openssh.com/releasenotes.html`)
- Relevant links:
- Vulnerability details from Qualys TRU: `https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466`
- Qualys advisory file: `https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt`