Critical OpenSSH Vulnerabilities Allows MiTM & DoS Attacks

The Qualys Threat Research Unit (TRU) has disclosed two newly identified vulnerabilities in OpenSSH, impacting both clients and servers. These vulnerabilities, tracked as CVE-2025-26465 and CVE-2025-26466, could allow attackers to execute machine-in-the-middle (MITM) attacks and denial-of-service (DoS) exploits, respectively.

OpenSSH is a suite of secure networking utilities based on the Secure Shell protocol, which provides a secure channel over an unsecured network in a client–server architecture.

CVE-2025-26465: Machine-in-the-Middle (MITM) Attack Vulnerability

This vulnerability poses a significant threat to OpenSSH clients by enabling MITM attacks. According to Qualys, it

“allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled.”

• Configuration Risks: Although this option is disabled by default, it is often enabled in certain environments, such as historical FreeBSD configurations, expanding the attack surface.
• Attack Mechanism: The attack can succeed regardless of whether the VerifyHostKeyDNS option is set to ‘yes’ or ‘ask,’ requires no user interaction, and is independent of the presence of an SSHFP resource record in DNS.
• Potential Impact: This vulnerability could allow attackers to intercept SSH sessions, access sensitive data, or pivot to other critical systems within a network.

CVE-2025-26466: Pre-Authentication Denial-of-Service (DoS) Vulnerability

This vulnerability affects both OpenSSH clients and servers, enabling a pre-authentication DoS attack by exhausting system resources.

• Attack Details: Qualys describes it as

“a pre-authentication denial-of-service attack–an asymmetric resource consumption of both memory and CPU.” which could cripple SSH servers, locking out legitimate users and administrators.

• Operational Threat: In remote access-dependent environments, this could lead to significant operational disruptions.
• Mitigation Strategies: OpenSSH offers several configuration options to minimize risk, including LoginGraceTime, MaxStartups, and PerSourcePenalties. However, these must be properly configured to be effective.

Affected Versions

• CVE-2025-26465: Impacts OpenSSH versions from 6.8p1 through 9.9p1, introduced in December 2014.
• CVE-2025-26466: Affects OpenSSH versions 9.5p1 through 9.9p1, originating in August 2023. This widespread impact means systems spanning nearly a decade of releases are potentially vulnerable.

Potential Impact on Organizations

• CVE-2025-26465: A successful MITM attack could result in data breaches, credential theft, and lateral movement within networks. This could compromise sensitive data, violate compliance regulations, and damage organizational reputation.
• CVE-2025-26466: By exploiting the DoS vulnerability, attackers could disrupt critical services, preventing administrators from managing essential systems, thus threatening operational continuity.

Responsible Disclosure

Qualys has disclosed these vulnerabilities and collaborated with OpenSSH developers for coordinated disclosure.

Recommendations for Administrators

These newly identified OpenSSH vulnerabilities highlight the critical need for organizations to stay vigilant and proactive in their cybersecurity practices. By promptly updating affected systems and reviewing configuration settings, administrators can significantly reduce the potential impact of these exploits. The OpenSSH team have published version 9.9p2 which addresses both vulnerabilities, so everyone is recommended to move to that release as soon as possible.

It is also advisable to disable VerifyHostKeyDNS unless absolutely required and instead use manual key fingerprint verification to maintain secure SSH connections.

To address the DoS issue, administrators should implement strict connection rate limits and closely monitor SSH traffic for unusual activity to detect and prevent potential attacks at an early stage.

Read the Qualys Report here

Read the Technical breakdown here

Qualys, Inc. is an American technology firm based in Foster City, California, specializing in cloud security, compliance and related services. Qualys has over 10,300 customers in more than 130 countries.