OpenSSH Vulnerabilities: MitM and DoS Threats Identified and Mitigated
Recent discoveries have highlighted two significant vulnerabilities in the OpenSSH secure networking utility suite, which could lead to active machine-in-the-middle (MitM) and denial-of-service (DoS) attacks. These vulnerabilities, identified by the Qualys Threat Research Unit, affect specific versions of OpenSSH and have been assigned CVE identifiers CVE-2025-26465 and CVE-2025-26466. The MitM vulnerability, with a CVSS score of 6.8, affects OpenSSH client versions 6.8p1 to 9.9p1 when the VerifyHostKeyDNS option is enabled. This flaw allows attackers to impersonate legitimate servers, potentially compromising SSH sessions and accessing sensitive data. The DoS vulnerability, with a CVSS score of 5.9, impacts both client and server versions 9.5p1 to 9.9p1, leading to resource exhaustion and service disruption.
The MitM vulnerability is particularly concerning for systems where the VerifyHostKeyDNS option was enabled by default, such as FreeBSD systems from September 2013 to March 2023. This configuration could expose these systems to unauthorized access and data interception. Meanwhile, the DoS vulnerability can disrupt server management and lock out legitimate users, affecting routine operations.
Both vulnerabilities have been addressed in the latest OpenSSH version 9.9p2, released by the maintainers. This update follows a previous disclosure by Qualys of another critical OpenSSH flaw, CVE-2024-6387, which posed a risk of unauthenticated remote code execution on glibc-based Linux systems.
Threats and Vulnerabilities
The first vulnerability, CVE-2025-26465, is a logic error in the OpenSSH client that can be exploited for a MitM attack if the VerifyHostKeyDNS option is enabled. This flaw allows an attacker to impersonate a legitimate server during an SSH connection attempt, potentially intercepting or tampering with the session. The vulnerability affects OpenSSH versions from 6.8p1 to 9.9p1 and poses a significant risk to data integrity and confidentiality.
The second vulnerability, CVE-2025-26466, affects both the OpenSSH client and server, leading to a pre-authentication DoS attack. This issue causes excessive memory and CPU consumption, impacting versions 9.5p1 to 9.9p1. Repeated exploitation can result in service unavailability, preventing administrators from managing servers and disrupting normal operations.
Client Impact
Clients using affected versions of OpenSSH may experience operational disruptions due to these vulnerabilities. The MitM vulnerability could lead to unauthorized access and data breaches, compromising sensitive information and damaging reputations. The DoS vulnerability may cause service outages, affecting business continuity and potentially leading to financial losses.
From a compliance perspective, these vulnerabilities could result in regulatory challenges if exploited, as unauthorized access or data breaches may violate data protection laws and industry standards. Organizations should assess their exposure and take immediate action to mitigate these risks.
Mitigations
To address these vulnerabilities, clients should consider the following actions:
- Upgrade to OpenSSH version 9.9p2 or later to mitigate both vulnerabilities.
- Disable the VerifyHostKeyDNS option if not required, especially on systems where it was previously enabled by default.
- Implement network monitoring to detect unusual SSH traffic patterns indicative of MitM or DoS attacks.
- Regularly review and update SSH configurations to align with security best practices.
- Educate users on recognizing potential phishing attempts that could lead to MitM attacks.
By taking these steps, organizations can reduce their risk exposure and enhance their security posture against these specific threats.
1898 & Co Response
1898 & Co is actively addressing the current threat landscape by offering tailored security assessments and upgrade services for clients using OpenSSH. Our team is focused on helping organizations implement the latest security patches and configurations to mitigate identified vulnerabilities.
We are collaborating with industry partners to share threat intelligence and develop comprehensive strategies for protecting critical infrastructure from emerging threats. Our ongoing research efforts ensure that we remain at the forefront of cybersecurity developments, providing clients with timely insights and solutions.
Our case studies demonstrate successful mitigation of similar vulnerabilities, highlighting our expertise in securing network utilities like OpenSSH. Clients can rely on our extensive experience to navigate complex security challenges and maintain robust defenses against evolving cyber threats.