The Qualys Threat Research Unit (TRU) has uncovered two significant vulnerabilities in OpenSSH, a widely used open-source implementation of the Secure Shell (SSH) protocol.
These flaws, tracked as CVE-2025-26465 and CVE-2025-26466, pose substantial security risks to enterprise infrastructure and encrypted communications.
Details of the Vulnerabilities
CVE-2025-26465: The researhers said the OpenSSH client is vulnerable to an active machine-in-the-middle (MITM) attack if the VerifyHostKeyDNS option is enabled (it is disabled by default): when a vulnerable client connects to a server, an active machine-in-the-middle can mimic the server by fully bypassing the client’s checks of the server’s identity.
The issue was introduced in December 2014, just before OpenSSH 6.8p1, and was enabled by default on FreeBSD between September 2013 and March 2023.
“This attack against the OpenSSH client succeeds whether VerifyHostKeyDNS is “yes” or “ask” (it is “no” by default), without user interaction, and whether the impersonated server actually has an SSHFP resource record or not (an SSH fingerprint stored in DNS),” they explained.
CVE-2025-26466: This vulnerability impacts both OpenSSH client and server, allowing a pre-authentication denial-of-service (DoS) attack that results in asymmetric resource consumption of memory and CPU.
Introduced in August 2023, just before OpenSSH 9.5p1, this flaw can cause prolonged service disruptions. “On the server side, this attack can be easily mitigated by mechanisms that are already built in OpenSSH: LoginGraceTime, MaxStartups, and more recently (OpenSSH 9.8p1 and newer) PerSourcePenalties,” Qualys explained.
Affected Versions
- CVE-2025-26465: OpenSSH versions 6.8p1 through 9.9p1
- CVE-2025-26466: OpenSSH versions 9.5p1 through 9.9p1
- Patched Version: OpenSSH 9.9p2 addresses both vulnerabilities, and researchers urge users to update immediately.
Potential Impact
If exploited, CVE-2025-26465 could allow malicious actors to intercept SSH sessions, compromising sensitive data, credentials, and internal communications. Malefactors could manipulate data in transit, potentially resulting in data breaches, compliance violations, and lateral movement across critical enterprise networks.
CVE-2025-26466, on the other hand, could be used to launch a prolonged DDoS attack, preventing administrators from accessing and managing their servers, which would disrupt critical operations, delay maintenance, and lock out sanctioned users, impacting business continuity.
Recommended Actions
Security teams should take immediate steps to mitigate the risks posed by these vulnerabilities:
- Upgrade to version 9.9p2 as soon as possible to address both issues.
- Identify affected assets using Qualys CyberSecurity Asset Management (CSAM) to detect vulnerable OpenSSH instances, including internet-facing assets.
- Enhance security posture with Qualys Vulnerability Management, Detection, and Response (VMDR) to monitor and address security gaps.
- Apply automated patches using Qualys Patch Management to ensure swift remediation.
- Secure containerized environments with Qualys TotalCloud Container Security to detect and remediate vulnerabilities in containerized OpenSSH deployments.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.