Two critical OpenSSH vulnerabilities discovered! Qualys TRU finds client and server flaws (CVE-2025-26465 & CVE-2025-26466) enabling MITM and DoS. Upgrade to 9.9p2 now to protect your systems.
Qualys Threat Research Unit (TRU) has discovered two security weaknesses in OpenSSH, a widely used tool across various operating systems for secure remote login, file transfers, and other critical functions.
The first vulnerability, identified as CVE-2025-26465, exposes the OpenSSH client to machine-in-the-middle attacks. This flaw “allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled” and set or ‘yes’ or ‘ask,’ the blog post read.
Further probing revealed that this vulnerability exists regardless of the VerifyHostKeyDNS setting and does not require any user interaction or specific DNS records. It was introduced in OpenSSH version 6.8p1 and affects versions up to 9.9p1.
Moreover, this flaw allows an attacker to impersonate a legitimate server, potentially compromising the integrity of the SSH connection and enabling data interception or manipulation. This can lead to compromised SSH sessions, allowing hackers to view or manipulate sensitive data, move across critical servers, and exfiltrate valuable information. It is worth noting that while VerifyHostKeyDNS is typically disabled, it was enabled by default on FreeBSD systems for nearly a decade, increasing the potential impact of this flaw.
The second vulnerability, tracked as CVE-2025-26466, affects both the OpenSSH client and server. This flaw allows a pre-authentication denial-of-service attack, consuming excessive memory and CPU resources. This can lead to system outages and prevent legitimate users, including administrators, from accessing critical servers. Repeated exploitation can lead to prolonged outages and server management issues, potentially affecting an enterprise’s operations and maintenance tasks.
This vulnerability was introduced more recently, in OpenSSH version 9.5p1, and also affects versions up to 9.9p1. Fortunately, several existing OpenSSH server configurations, such as LoginGraceTime, MaxStartups, and PerSourcePenalties, can mitigate this denial-of-service attack.
The Qualys TRU responsibly disclosed these vulnerabilities to the OpenSSH developers, and a fix is available in OpenSSH version 9.9p2. Users and administrators must immediately upgrade to this latest version to protect their systems from these newly identified threats. Any delay could leave systems vulnerable to data breaches, unauthorized access, and denial-of-service attacks, potentially disrupting operations and leading to dangerous consequences.
It must be noted that OpenSSH has faced security challenges in the past, such as Hackread.com reporting the regreSSHion vulnerability (CVE-2024-6387) also discovered by Qualys in 2024. This flaw could have allowed unauthenticated remote code execution with root privileges on Linux systems using glibc, emphasizing the need for thorough testing and potential regressions in security-sensitive software.
These flaws in OpenSSH highlight that even widely trusted and well-maintained software like OpenSSH can be susceptible to vulnerabilities, making regular software updates, monitoring for suspicious activity, and implementing security best practices essential to protect systems.