CVE-2025-26465:
OpenSSH contains a vulnerability (CVE-2025-26465) that enables a machine-in-the-middle attack when VerifyHostKeyDNS is enabled. The flaw arises from mishandling certain error codes during host-key verification, and an attacker can exploit it after exhausting the client’s memory resources. The issue affects OpenSSH versions up to 9.9p1, with Red Hat advisories guiding patched updates. The CVSSv3.1 base score is 6.8 (Medium), requiring network access and user interaction.
Score
A numerical rating that indicates how dangerous this vulnerability is.
6.8Medium- Published Date:Feb 18, 2025
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:74.0
- EPSS Percentile:99%
Exploitability
- Score:1.6
- Attack Vector:NETWORK
- Attack Complexity:HIGH
- Privileges Required:NONE
- User Interaction:REQUIRED
- Scope:UNCHANGED
Impact
- Score:5.2
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:NONE
Description Preview
OpenSSH contains a vulnerability (CVE-2025-26465) that enables a machine-in-the-middle attack when VerifyHostKeyDNS is enabled. The flaw arises from mishandling certain error codes during host-key verification, and an attacker can exploit it after exhausting the client’s memory resources. The issue affects OpenSSH versions up to 9.9p1, with Red Hat advisories guiding patched updates. The CVSSv3.1 base score is 6.8 (Medium), requiring network access and user interaction.
Overview
OpenSSH is vulnerable when VerifyHostKeyDNS is enabled, allowing a remote attacker to conduct a network-based impersonation of a trusted server and carry out a man-in-the-middle attack. The root cause is the mishandling of error codes during host-key verification, which can be exploited after the attacker depletes the client’s memory resources. The vulnerability affects OpenSSH versions up to 9.9p1 (and earlier in the 6.8p1–9.9p1 range) and is addressed by vendor security updates. Red Hat has published advisories RHSA-2025:3837 and RHSA-2025:6993 to provide patches for affected Red Hat systems.
Remediation
- Apply vendor-supplied patches: Upgrade OpenSSH to a version containing the fix as provided in the Red Hat advisories RHSA-2025:3837 and RHSA-2025:6993. For Red Hat Enterprise Linux 9 and related variants, install the updated openssh package from the vendor updates and advisories.
- Deploy updates across affected systems: Ensure all deployed OpenSSH versions within the affected scope are updated to the patched release, then restart SSH services (e.g., systemctl restart sshd) and verify the version installed.
- Validate the patch: Confirm the OpenSSH version is updated to a patched release (as per RHSA advisories) and that VerifyHostKeyDNS usage remains as per your security policy.
- If a patch cannot be applied promptly: There is no robust, vendor-validated workaround. Monitor vendor communications and consider network-level exposure controls and incident response readiness while patches are being applied.
- Plan and test: Use a staged rollout to test connectivity and verify that host-key verification via DNS remains secure after patching. Ensure all affected hosts are included in the patching window.
References
- - RHSA-2025:3837 — Red Hat advisory: https://access.redhat.com/errata/RHSA-2025:3837
- - RHSA-2025:6993 — Red Hat advisory: https://access.redhat.com/errata/RHSA-2025:6993
- - CVE-2025-26465 — CVE details: https://www.cve.org/CVERecord?id=CVE-2025-26465
- - Red Hat CVE page: https://access.redhat.com/security/cve/CVE-2025-26465
- - OpenSSH release notes (9.9p2): https://www.openssh.com/releasenotes.html#9.9p2
- - Debian OSS Security: https://security-tracker.debian.org/tracker/CVE-2025-26465
- - Debian LTS Announce: https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html
- - Ubuntu security advisory: https://ubuntu.com/security/CVE-2025-26465
- - The Register coverage: https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/
- - OpenSSH source/patch discussions: https://anongit.mindrot.org/openssh.git
- - Qualys Threat Research blog: https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
- - OSS security discussions (mail lists): https://www.openwall.com/lists/oss-security/2025/02/18/1 and https://www.openwall.com/lists/oss-security/2025/02/18/4
- - Red Hat Bugzilla (RHBZ): https://bugzilla.redhat.com/show_bug.cgi?id=2344780
- - Vicarius SOC posts (detection/mitigation): https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh and https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh
- - OpenSSH official advisory/release notes: https://www.openssh.com/releasenotes.html
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
