OpenSSH, a widely used secure networking utility suite, has disclosed two vulnerabilities this February. When exploited, these flaws, identified as CVE-2025-26465 and CVE-2025-26466, could allow an active machine-in-the-middle attack and denial of service attack. Researchers at Qualys Threat Research Unit (TRU) uncovered both these vulnerabilities and demonstrated their exploitability to OpenSSH.
Disclosed Vulnerabilities:
CVE-2025-26465 had remained undetected for over a decade and was introduced in Dec’14, with the release of OpenSSH 6.8p1. It allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled. By default, the VerifyHostKeyDNS option is disabled in OpenSSH. From September 2013 to March 2023, this VerifyHostKeyDNS option was enabled by default in FreeBSD, increasing the risk for users who had not manually disabled it.
This vulnerability allows an attacker to impersonate a legitimate server during an SSH connection and trick clients into accepting a rogue key. This would impact confidentiality and integrity, enabling potential compromise and hijacking SSH sessions.
The DoS vulnerability, tracked under CVE-2025-26466, affects both the OpenSSH client and server. This flaw was introduced in Aug’23 in OpenSSH 9.5p1. Attackers can leverage CVE-2025-26466 during the pre-authentication phase to execute a significantly asymmetric resource consumption attack, depleting both memory and CPU on the targeted system. This issue stems from unrestricted memory allocation during the key exchange, leading to excessive resource usage, server instability, and potential downtime if exploited repeatedly, thus preventing administrators from accessing and managing affected systems.
OpenSSH has addressed both these vulnerabilities in OpenSSH version 9.9p2. Admins are advised to upgrade to the latest version of OpenSSH as soon as possible and disable VerifyHostKeyDNS unless necessary. Furthermore, administrators should enforce strict connection rate limits and monitor SSH traffic for abnormal patterns to stop potential attacks at an early stage.
