Headline
Critical OpenSSH Vulnerabilities Expose Users to MITM and DoS Attacks
Two critical OpenSSH vulnerabilities discovered! Qualys TRU finds client and server flaws (CVE-2025-26465 & CVE-2025-26466) enabling MITM and…
Two critical OpenSSH vulnerabilities discovered! Qualys TRU finds client and server flaws (CVE-2025-26465 & CVE-2025-26466) enabling MITM and DoS. Upgrade to 9.9p2 now to protect your systems.
Qualys Threat Research Unit (TRU) has discovered two security weaknesses in OpenSSH, a widely used tool across various operating systems for secure remote login, file transfers, and other critical functions.
The first vulnerability, identified as CVE-2025-26465, exposes the OpenSSH client to machine-in-the-middle attacks. This flaw “allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled” and set or ‘yes’ or ‘ask,’ the blog post read.
Further probing revealed that this vulnerability exists regardless of the VerifyHostKeyDNS setting and does not require any user interaction or specific DNS records. It was introduced in OpenSSH version 6.8p1 and affects versions up to 9.9p1.
Moreover, this flaw allows an attacker to impersonate a legitimate server, potentially compromising the integrity of the SSH connection and enabling data interception or manipulation. This can lead to compromised SSH sessions, allowing hackers to view or manipulate sensitive data, move across critical servers, and exfiltrate valuable information. It is worth noting that while VerifyHostKeyDNS is typically disabled, it was enabled by default on FreeBSD systems for nearly a decade, increasing the potential impact of this flaw.
The second vulnerability, tracked as CVE-2025-26466, affects both the OpenSSH client and server. This flaw allows a pre-authentication denial-of-service attack, consuming excessive memory and CPU resources. This can lead to system outages and prevent legitimate users, including administrators, from accessing critical servers. Repeated exploitation can lead to prolonged outages and server management issues, potentially affecting an enterprise’s operations and maintenance tasks.
This vulnerability was introduced more recently, in OpenSSH version 9.5p1, and also affects versions up to 9.9p1. Fortunately, several existing OpenSSH server configurations, such as LoginGraceTime, MaxStartups, and PerSourcePenalties, can mitigate this denial-of-service attack.
The Qualys TRU responsibly disclosed these vulnerabilities to the OpenSSH developers, and a fix is available in OpenSSH version 9.9p2. Users and administrators must immediately upgrade to this latest version to protect their systems from these newly identified threats. Any delay could leave systems vulnerable to data breaches, unauthorized access, and denial-of-service attacks, potentially disrupting operations and leading to dangerous consequences.
It must be noted that OpenSSH has faced security challenges in the past, such as Hackread.com reporting the regreSSHion vulnerability (CVE-2024-6387) also discovered by Qualys in 2024. This flaw could have allowed unauthenticated remote code execution with root privileges on Linux systems using glibc, emphasizing the need for thorough testing and potential regressions in security-sensitive software.
These flaws in OpenSSH highlight that even widely trusted and well-maintained software like OpenSSH can be susceptible to vulnerabilities, making regular software updates, monitoring for suspicious activity, and implementing security best practices essential to protect systems.
Related news
The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity. "A signal handler in sshd(8) may call a logging function
Quay.io is Red Hat’s hosted container registry service that serves enterprise users, open source community projects, and Red Hat customers worldwide. One of the most used features of Quay.io, besides storing and serving container images, is the comprehensive security vulnerability reporting for any uploaded image. Because Red Hat is committed to making open source software more accessible, this functionality is also available on the free tier, provided by the Clair static vulnerability analyzer project.Clair allows users to analyze millions of container images and billions of layers, and pr
Select versions of the OpenSSH secure networking suite are susceptible to a new vulnerability that can trigger remote code execution (RCE). The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), is distinct from CVE-2024-6387 (aka RegreSSHion) and relates to a case of code execution in the privsep child process due to a race condition in signal handling. It only impacts versions 8.7p1
Red Hat Security Advisory 2024-4312-03 - An update for openssh is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.
Gentoo Linux Security Advisory 202407-9 - A vulnerability has been discovered in OpenSSH, which can lead to remote code execution with root privileges. Versions greater than or equal to 9.7_p1-r6 are affected.
Ubuntu Security Notice 6859-1 - It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials.
Debian Linux Security Advisory 5724-1 - The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.
Qualys has discovered a a signal handler race condition vulnerability in OpenSSH's server, sshd. If a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe - for example, syslog(). This race condition affects sshd in its default configuration.
OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems. The vulnerability has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections from any of the client