Two security vulnerabilities have been identified in the OpenSSH secure networking utility suite, potentially exposing systems to severe risks. The flaws, discovered by Qualys Threat Research Unit (TRU), impact versions 6.8p1 to 9.9p1 of OpenSSH and can result in an active man-in-the-middle (MitM) attack and a denial-of-service (DoS) condition under specific circumstances. These vulnerabilities, CVE-2025-26465 and CVE-2025-26466, have been detailed as a logic error in the OpenSSH client and a pre-authentication DoS issue affecting both the client and server. The vulnerabilities were introduced between 2014 and 2023, with the first flaw allowing attackers to impersonate legitimate servers and the second one consuming excessive system resources.
The active MitM vulnerability (CVE-2025-26465) occurs when the “VerifyHostKeyDNS” option is enabled.
This flaw allows malicious actors to impersonate a legitimate server, leading the client to accept their key instead of the real server’s key.This could compromise the integrity of the SSH connection, enabling attackers to potentially intercept, tamper with, or hijack SSH sessions, posing a significant security threat. Interestingly, this option was enabled by default on FreeBSD from 2013 to 2023, increasing the risk for machines running that operating system, though it is disabled by default in more recent OpenSSH versions.
The second vulnerability (CVE-2025-26466) relates to a pre-authentication DoS condition found in OpenSSH client and server versions 9.5p1 to 9.9p1. This flaw causes excessive memory and CPU consumption when exploited, which can result in servers becoming unresponsive and locked out of management access. If exploited repeatedly, this could severely impact routine server operations, hindering legitimate users from accessing or managing the servers. The flaw poses a substantial availability risk, making it challenging for administrators to maintain the server environment effectively.
In response to these vulnerabilities, OpenSSH has released version 9.9p2, which addresses both security issues. The patch eliminates the MitM risk by addressing the logic error in the client and resolves the DoS vulnerability, preventing the server from being overwhelmed by resource consumption. The disclosure of these vulnerabilities follows a previous issue discovered by Qualys in 2024 (CVE-2024-6387), which could have led to unauthenticated remote code execution in glibc-based Linux systems. These vulnerabilities highlight the ongoing need for timely patching and careful security monitoring within the OpenSSH ecosystem.
