The Qualys Threat Research Unit (TRU) has disclosed two newly identified vulnerabilities in OpenSSH, affecting both clients and servers. These flaws, tracked as CVE-2025-26465 and CVE-2025-26466, could enable attackers to execute machine-in-the-middle (MITM) attacks and denial-of-service (DoS) exploits, respectively.
The more concerning of the two, CVE-2025-26465, exposes OpenSSH clients to MITM attacks. As Qualys explains in their report, this vulnerability “allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled.” While this option is disabled by default, its use, particularly in certain configurations like those historically used in FreeBSD, broadens the potential attack surface. Strikingly, the Qualys report emphasizes that this attack “succeeds regardless of whether the VerifyHostKeyDNS option is set to ‘yes’ or ‘ask’… requires no user interaction, and does not depend on the existence of an SSHFP resource record (an SSH fingerprint) in DNS.” This effortless compromise poses a significant risk to organizations relying on SSH for secure communication. Imagine an attacker intercepting an SSH session, gaining access to sensitive data, or even pivoting to other critical systems within the network.
The second vulnerability, CVE-2025-26466, presents a different but equally disruptive threat: a pre-authentication denial-of-service attack. This flaw, affecting both client and server, allows attackers to exhaust system resources. Qualys notes that it enables “a pre-authentication denial-of-service attack–an asymmetric resource consumption of both memory and CPU.” This type of attack can cripple SSH servers, effectively locking out legitimate users and administrators. In a world where remote access is paramount, such an outage can bring critical operations to a standstill. While OpenSSH does offer some mitigation strategies, such as LoginGraceTime, MaxStartups, and PerSourcePenalties, administrators must ensure these are properly configured to minimize the risk.
The affected versions paint a picture of widespread vulnerability. CVE-2025-26465 affects OpenSSH versions from 6.8p1 through 9.9p1, a flaw introduced back in December 2014. CVE-2025-26466, a more recent issue, impacts versions 9.5p1 through 9.9p1, having been introduced in August 2023. This means a large number of systems, potentially spanning nearly a decade of releases, are susceptible.
The potential impact of these vulnerabilities is substantial. A successful MITM attack via CVE-2025-26465 could lead to data breaches, credential theft, and lateral movement within a network. As Qualys points out, “SSH sessions can be a prime target for attackers aiming to intercept credentials or hijack sessions.” Compromised SSH access can be a gateway to sensitive data, violating compliance regulations and causing significant reputational damage. The DoS vulnerability, CVE-2025-26466, threatens operational continuity. By exploiting this flaw, attackers can disrupt critical services and prevent administrators from managing essential systems.
Qualys has responsibly disclosed these vulnerabilities, working closely with the OpenSSH developers to coordinate the announcement. Technical details of the vulnerabilities can be found in their report.
Administrators should immediately assess their systems for vulnerable OpenSSH versions and apply the necessary updates to mitigate these risks.
