Two vulnerabilities have been discovered in OpenSSH, which, under certain conditions, could facilitate Man-in-the-Middle (MitM) attacks and Denial-of-Service (DoS) exploits. These security flaws were identified by Qualys’ research division.
The first vulnerability, CVE-2025-26465, stems from a logical flaw in the OpenSSH client code, affecting versions 6.8p1 through 9.9p1. This bug enables MitM attacks when the VerifyHostKeyDNS option is enabled. In such a scenario, an attacker can forge the server’s key, intercepting the connection and masquerading as a trusted host. Notably, this issue has persisted in OpenSSH since December 2014.
The second vulnerability, CVE-2025-26466, impacts both the OpenSSH client and server, starting from version 9.5p1. This flaw allows an adversary to launch a pre-authentication attack, leading to excessive memory and CPU consumption, ultimately resulting in a denial-of-service condition. The vulnerability was introduced into OpenSSH’s codebase in August 2023.
Security experts warn that exploiting CVE-2025-26465 could allow malicious actors to compromise SSH sessions, potentially granting them unauthorized access to sensitive data. However, an important mitigating factor is that the VerifyHostKeyDNS option is disabled by default, reducing the immediate risk of exploitation.
Conversely, CVE-2025-26466, when exploited repeatedly, could render SSH servers inaccessible, causing significant operational disruptions for administrators and users alike. This makes it particularly concerning for organizations reliant on SSH for secure remote access and system administration.
Both vulnerabilities have been remediated in OpenSSH version 9.9p2, which was officially released on February 18. Developers strongly advise users to update their OpenSSH installations immediately to mitigate potential threats.
This is not the first instance of serious security flaws being discovered in OpenSSH. Seven months prior, Qualys identified another critical vulnerability, known as regreSSHion (CVE-2024-6387). This flaw allowed remote code execution with root privileges on Linux systems using glibc, posing a severe security risk.
Given these recurring discoveries, organizations are urged to maintain vigilance, apply timely security updates, and adopt robust security configurations to mitigate future threats.
