Two newly discovered vulnerabilities in OpenSSH threaten the security of users worldwide. Researchers at Qualys have identified the bugs, which allow attackers to perform machine-in-the-middle (MitM) attacks and pre-authentication denial-of-service (DoS) attacks on the OpenSSH client and server.
The vulnerabilities are severe, with a severity score of 6.8 for one and 5.9 for the other. Although the patches have been released, experts warn that users should update at their earliest convenience.
One vulnerability, CVE-2025-26465, can only be exploited when the VerifyHostKeyDNS option is set to “yes” or “ask”. However, it’s worth noting that this was enabled by default on FreeBSD between September 2013 and March 2023. If an attacker exploits this bug, they could intercept or manipulate data transferred over what users expect to be a secure channel.
The other vulnerability, CVE-2025-26466, affects both the OpenSSH client and server, causing prolonged outages due to asymmetric resource consumption of memory and CPU. This bug has already been introduced in August 2023, just before version 9.5p1 was released.
Despite the severity of these vulnerabilities, experts emphasize that patching is crucial to protect against potential damage. Saeed Abbasi from Qualys’ Threat Research Unit notes that SSH sessions can be a prime target for attackers aiming to intercept credentials or hijack sessions.
The good news is that OpenSSH has released version 9.9p2, which addresses both vulnerabilities and includes patches for CVE-2025-26465 and CVE-2025-26466. The company thanks Qualys for the report and the open-source community for their continued support.
Users with devices using insecure SSH services are advised to update their systems as soon as possible to prevent potential breaches and reputational damage.
Source: https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos