Rapid Patching Recommended: Vulnerabilities Create Potential for Man-in-the-Middle Attacks and Denial of Service
Recent vulnerabilities identified in multiple versions of OpenSSH, a widely used tool for secure remote server management and file transfer, have raised alarms, placing millions of servers at risk. These flaws can allow attackers to execute man-in-the-middle (MITM) attacks or orchestrate denial-of-service (DoS) incidents, posing significant threats to organizations reliant on this software.
OpenSSH serves as a critical component of various operating systems, including Windows 10 and 11, macOS, and numerous Linux distributions. The OpenSSH project has released a patch, OpenSSH 9.9p2, addressing these vulnerabilities after their discovery by the Qualys Security Advisory team. The urgency for companies to apply this patch is underscored by the possibility of exploitation, as Shodan, an Internet of Things search engine, has reported approximately 33 million servers publicly exposed to the internet that utilize OpenSSH.
One of the identified vulnerabilities, tracked as CVE-2025-26465, affects OpenSSH versions from 6.8p1 (released in March 2018) to 9.9p1. This flaw allows an attacker to impersonate a server on the network, potentially compromising the confidentiality and integrity of data exchanged between vulnerable clients and the impersonated server. Qualys has indicated that the risk increases particularly when the VerifyHostKeyDNS option is activated, allowing malicious actors to exploit user connections without requiring direct user interaction.
In contrast, the denial of service vulnerability, designated as CVE-2025-26466, was introduced in OpenSSH version 9.5p1, released in October 2023. It remains a threat in subsequent versions up to 9.9p1. Attackers may leverage SSH2_MSG_PING packets to engage in pre-authentication DoS attacks, consuming excessive system resources and causing critical access disruptions. Such attacks could prevent administrators from managing their servers effectively, leading to significant operational downtime.
Organizations that have not yet applied the recent patch are urged to do so promptly. OpenSSH’s embedded mitigation strategies, such as LoginGraceTime and MaxStartups, may serve to limit the impact of potential DoS attacks. However, persistently exploited vulnerabilities could lead to severe interruptions, locking out legitimate users from critical systems and affecting overall business continuity.
Qualys reported these vulnerabilities to OpenSSH on January 31, following which security advisories and patches were disseminated to major operating system distributions. In alignment with the patch release, Qualys also published proof-of-concept exploit code for each vulnerability, emphasizing the importance of immediate system upgrades.
Considering the potential adversary tactics in this scenario, the attacks align with MITRE ATT&CK tactics for initial access and execution. Specifically, in a MITM context, attackers may employ techniques for lateral movement and data collection once the integrity of the SSH session is breached. For businesses, it is crucial to stay informed and proactive in implementing security measures tailored to address such vulnerabilities to safeguard their operational infrastructure effectively.
