Introduction
This document addresses two critical vulnerabilities identified in the OpenSSH networking utility, designated as CVE-2025-26465 and CVE-2025-26466 [3] [4] [5] [8]. These vulnerabilities pose significant security risks, enabling machine-in-the-middle (MitM) and denial-of-service (DoS) attacks that threaten both client and server components.
Description
Two vulnerabilities have been identified in the OpenSSH networking utility [8], tracked as CVE-2025-26465 and CVE-2025-26466 [3] [4] [5] [7] [8], which can be exploited for machine-in-the-middle (MitM) and denial-of-service (DoS) attacks [5], posing significant risks to both client and server components.
CVE-2025-26465 is a MitM vulnerability affecting OpenSSH clients running versions 6.8p1 through 9.9p1 when the VerifyHostKeyDNS option is enabled [4], which must be set to “yes” or “ask” for the attack to succeed; the default setting is “no.” This flaw allows attackers to intercept SSH connections and inject malicious keys, enabling them to impersonate legitimate SSH servers and hijack sessions without requiring user interaction. Additionally, this vulnerability can lead to out-of-memory errors during SSH key verification, further compromising the security of the connection. Although the VerifyHostKeyDNS feature is disabled by default [8], it was enabled in some environments [8], such as FreeBSD [8], from 2013 to 2023 [2], leaving many systems exposed since its introduction in March 2015. The existence of this vulnerability underscores the critical need for regular configuration audits to align with modern security standards, as it can lead to credential theft and data manipulation, resulting in potential data breaches and unauthorized access to sensitive information [1].
CVE-2025-26466 affects OpenSSH versions 9.5p1 through 9.9p1 and introduces a pre-authentication DoS attack due to excessive memory consumption from uncontrolled resource allocation during key exchanges. Attackers can flood unauthenticated sessions with repeated SSH2MSGPING packets, causing OpenSSH to buffer excessive responses and leading to uncontrolled memory allocation [2], which can lock out legitimate users and administrators [1], severely impacting operational continuity [1]. This issue arises from improper handling of resources during SSH key exchanges [8], resulting in unlimited memory allocation that is not freed until the end of the initial key exchange [7]. The vulnerability was introduced in August 2023 [5] [6], shortly before OpenSSH 9.5p1 [6], and can facilitate MitM attacks by bypassing checks of the real server’s host key [7]. While server-side mitigations like LoginGraceTime [8], MaxStartups [3] [5] [8], and PerSourcePenalties can help reduce the impact, client-side protections are lacking [4], necessitating immediate patching [4].
To address these vulnerabilities [1] [2] [3] [4] [5] [7] [8], OpenSSH version 9.9p2 has been released [8], which includes fixes for both the MitM and DoS flaws [8], along with additional bug resolutions to enhance performance and security [8]. Organizations are strongly encouraged to update promptly [8], disable VerifyHostKeyDNS unless necessary [2] [3], and implement StrictHostKeyChecking and UserKnownHostsFile for improved key validation [3]. Additionally, enforcing strict connection rate limits and monitoring SSH traffic can help detect and prevent potential DoS attacks [2]. Server defenses should also be configured to apply PerSourcePenalties to manage abusive IPs, thereby improving the overall security of their SSH infrastructure and ensuring compliance with regulations such as GDPR, HIPAA [4], and PCI-DSS [4]. Monitoring SSH logs for unexpected host key changes or unusual resource consumption can also help detect potential exploitation attempts [3].
Conclusion
The vulnerabilities CVE-2025-26465 and CVE-2025-26466 in OpenSSH present serious security challenges that necessitate immediate attention. Mitigating these risks involves updating to OpenSSH version 9.9p2, disabling unnecessary features, and implementing robust security measures. Organizations must remain vigilant, conducting regular audits and monitoring to prevent exploitation and ensure compliance with relevant security standards and regulations.
References
[1] https://securityonline.info/openssh-flaws-cve-2025-26465-cve-2025-26466-expose-clients-and-servers-to-attacks/
[2] https://blog.netizen.net/2025/02/18/openssh-security-updates-what-soc-teams-need-to-know/
[3] https://cyberinsider.com/openssh-vulnerabilities-exposed-millions-to-multi-year-risks/
[4] https://cybersecuritynews.com/openssh-vulnerabilities-mitm-dos/
[5] https://www.techradar.com/pro/security/openssh-vulnerabilities-could-pose-huge-threat-to-businesses-everywhere
[6] https://ubuntu.com/security/CVE-2025-26466
[7] https://www.csoonline.com/article/3827268/openssh-fixes-two-flaws-that-enable-a-man-in-the-middle-attack-and-denial-of-service.html
[8] https://www.infosecurity-magazine.com/news/openssh-flaws-expose-systems/
