Critical OpenSSH Vulnerabilities: Patch Immediately to Prevent Attacks

Two major security vulnerabilities have been located in the OpenSSH secure networking utility. These vulnerabilities can enable an active MitM attack depending on certain conditions. Apart from this, they can also enable a Denial of Service or DoS attack. 

Additional details about the vulnerabilities have been provided by the Qualys Threat Research Unit (TRU). CVE-2025-26465 (Severity: 6.8) is a logic error that exists in the OpenSSH client from version 6.8p1 through 9.9p1 (inclusive). 

Hence, when using the VerifyHostKeyDNS option, this flaw allows the client to be subject to an attack under the control of the adversary whereby the adversary can masquerade as the legitimate server while the server is attempting to connect.

The OpenSSH client and server are vulnerable to an attack that is a pre-authentication denial of service on all versions from 9.5p1 to 9.9p1 (inclusive). This can lead to excessive usage of memory and CPU. 

Saeed Abbasi, the product manager at Qualys TRU explained, “This vulnerability allows an attacker to conduct a man-in-the-middle attack under CVE-2025-26465, whereby the client trusts the attacker’s key instead of the legitimate server’s key.” 

He further added, “This violates SSH connection integrity and thus provides a window for the attacker to intercept or alter the session before the realization of the victim.” In other words, if someone tries to make these flaws work, they might find that they can control SSH sessions and get access to sensitive information. 

The default setting on OpenSSH is to leave the VerifyHostKeyDNS option turned off, but this was on by default in FreeBSD from September 2013 through March 2023. It could have placed systems running that Unix-like OS at risk.On the other hand, repeated exploitation of CVE-2025-26466 may result in availability problems and restrict administrators from being able to manage perpetrators. This will interfere with normal operations by locking out legitimate users.