Recent discoveries by the Qualys Threat Research Unit have unveiled two significant security vulnerabilities within the OpenSSH suite, an essential tool for secure networking. These vulnerabilities, if exploited, could enable attackers to perform a man-in-the-middle (MitM) attack and instigate a denial-of-service (DoS) attack, threatening the security and availability of affected systems.
The detailed vulnerabilities are identified as CVE-2025-26465 and CVE-2025-26466. The first, CVE-2025-26465, affects OpenSSH clients across versions 6.8p1 to 9.9p1, presenting a CVSS score of 6.8. This logic error arises particularly when the VerifyHostKeyDNS option is enabled, allowing an attacker to masquerade as a legitimate server. This vulnerability was introduced back in December 2014 and represents a critical risk if not addressed when users attempt SSH connections.
In parallel, CVE-2025-26466, which boasts a CVSS score of 5.9, affects both OpenSSH clients and servers from versions 9.5p1 to 9.9p1. Discovered in August 2023, this vulnerability opens doors to pre-authentication DoS attacks that can lead to intensive memory and CPU consumption on affected systems, significantly hindering administrative capabilities. The potential for repeated exploitation raises alarms about the availability of essential services, locking out legitimate users and disrupting operational routines.
As Saeed Abbasi, a product manager at Qualys TRU, notes, the implications of a successful MitM exploit via CVE-2025-26465 could severely compromise the integrity of SSH sessions, enabling adversaries to intercept and even manipulate data before victims realize they have been compromised. This vulnerability exposes serious risks particularly for organizations that may have previously enabled the VerifyHostKeyDNS option by default, as was the case in FreeBSD from September 2013 until March 2023.
Both vulnerabilities have been addressed in the recently released OpenSSH version 9.9p2, underscoring the urgency for affected users to update their systems promptly. This disclosure appears seven months following Qualys’s revelation of another significant OpenSSH vulnerability known as regreSSHion (CVE-2024-6387), which had the potential for unauthenticated remote code execution with elevated privileges, particularly in glibc-based Linux environments.
This context highlights broader adversary tactics aligned with the MITRE ATT&CK framework, particularly those associated with initial access, exploitation of client-server vulnerabilities, and disruption of services (Tactic ID: TA0040). The likelihood of such attacks emphasizes the necessity for business owners to continuously assess and fortify their cybersecurity postures in light of emerging vulnerabilities.
Organizations are encouraged to monitor these developments closely, as well as ensure that all security protocols are updated in accordance with the latest software releases. This vigilance is crucial for mitigating risks posed by potential cyber threats leveraging similar vulnerabilities.
