Researchers have identified two significant security vulnerabilities in OpenSSH, a widely-used secure networking utility suite. These vulnerabilities could potentially allow attackers to execute a machine-in-the-middle (MitM) attack and a denial-of-service (DoS) attack under specific conditions, if exploited successfully.
The vulnerabilities, which were detailed by the Qualys Threat Research Unit (TRU), are outlined below:
- CVE-2025-26465 – A logic error exists in OpenSSH client versions 6.8p1 to 9.9p1 (inclusive), making it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled. This could allow a malicious attacker to impersonate a legitimate server when a client attempts to connect (Introduced in December 2014).
- CVE-2025-26466 – OpenSSH client and server versions 9.5p1 to 9.9p1 (inclusive) are vulnerable to a pre-authentication DoS attack, causing memory and CPU consumption (Introduced in August 2023).
According to Saeed Abbasi, manager of product at Qualys TRU, “If an attacker can perform a man-in-the-middle attack via CVE-2025-26465, the client may accept the attacker’s key instead of the legitimate server’s key.” He further explained that this would compromise the integrity of the SSH connection, allowing potential interception or tampering with the session before the user even realizes it.
A successful exploitation of these vulnerabilities could allow malicious actors to compromise and hijack SSH sessions, gaining unauthorized access to sensitive data. It is essential to note that the VerifyHostKeyDNS option is disabled by default.
On the other hand, repeated exploitation of CVE-2025-26466 could result in availability issues, preventing administrators from managing servers and locking legitimate users out, effectively crippling routine operations.
OpenSSH maintainers have addressed both vulnerabilities in version OpenSSH 9.9p2, released today.
This disclosure comes over seven months after Qualys shed light on another OpenSSH flaw dubbed regreSSHion (CVE-2024-6387), which could have resulted in unauthenticated remote code execution with root privileges in glibc-based Linux systems.
