VyOS and Debian Systems Vulnerable to Man-in-the-Middle Attacks (CVE-2025-30095)

A critical vulnerability tracked as CVE-2025-30095 has been discovered in VyOS, a popular open-source network operating system. The flaw, reported by Morgan Jones of Viasat, stems from private SSH key reuse in the Dropbear-based console server, potentially enabling active man-in-the-middle (MITM) attacks.

“SSH sessions associated with the console server [were] vulnerable to active man-in-the-middle attacks,” the update notes. “This issue did not affect system SSH connections — only SSH connections to console server ports.”

The issue lies in how Dropbear, a lightweight SSH daemon, was configured and integrated into VyOS and other Debian-based systems using live-build. During image creation, the Dropbear host keys were pre-generated and embedded into the image. As a result, all systems deployed from the same image shared identical SSH keys for the console server.

This means if an attacker knows which VyOS image a target is using (e.g., from public repositories), they can extract the embedded keys and:

Intercept the SSH key exchange
Impersonate the server
Decrypt or manipulate traffic in real-time

“Every system deployed from the same image used the same private key,” the update warns. “An attacker capable of intercepting and modifying traffic could impersonate the server.”

Only the console server service is affected—not the primary VyOS SSH daemon, which uses OpenSSH by default and is better protected during image creation. A typical vulnerable configuration looks like this:

vyos@vyos# show service 
 console-server {
     device ttyS1 {
         speed 115200
         ssh {
             port 3000
         }
     }
 }
}

The vulnerability affects VyOS versions 1.3 through 1.5, or any system that uses Dropbear + live-build without a safeguard to remove embedded SSH keys before packing the image. The problem is not unique to VyOS—it could affect any Debian-based system that uses Dropbear with live-build.

VyOS has now:

Added its own custom safeguard to remove Dropbear keys before image packaging.
Updated its configuration scripts to generate fresh keys at first boot if none exist.

For users on affected systems, the fix is straightforward:

sudo rm -f /etc/dropbear/key
sudo rm -f /etc/dropbear-initramfs/key
sudo dropbearkey -t rsa -s 4096 -f /etc/dropbear_rsa_host_key

Then reload the service or reboot the system.

Upgrade to the latest rolling release of VyOS 1.4 or 1.5, where the safeguards are in place.

Rate this post

Tags: CVE-2025-30095 ssh VyOS

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply