OpenSSH, the widely used secure shell protocol, has been found to contain two critical vulnerabilities that could lead to devastating DoS attacks and successful man-in-the-middle (MiTM) attacks. These OpenSSH flaws affect a vast number of systems across various platforms.
Two Critical OpenSSH Flaws Discovered by Qualys
Security researchers at Qualys discovered two significant OpenSSH flaws:
CVE-2025-26465:
A MiTM vulnerability introduced over a decade ago in OpenSSH 6.8p1 (December 2014). This flaw allows attackers to bypass host key verification when the VerifyHostKeyDNS option is enabled, even if set to “ask.” “T
he attack against the OpenSSH client (CVE-2025-26465) succeeds regardless of whether the VerifyHostKeyDNS option is set to “yes” or “ask” (its default is “no”), requires no user interaction, and does not depend on the existence of an SSHFP resource record (an SSH fingerprint) in DNS,” explains Qualys.
Attackers achieve this by exploiting improper error handling, forcing an out-of-memory error during key verification. This allows them to hijack sessions, steal credentials, inject commands, and exfiltrate data. While disabled by default, this option was enabled by default on FreeBSD for a significant period, leaving many systems vulnerable.
CVE-2025-26466:
A pre-authentication denial-of-service (DoS) flaw introduced in OpenSSH 9.5p1 (August 2023). This vulnerability stems from unrestricted memory allocation during the key exchange.
Attackers can send repeated small (16-byte) ping messages, forcing OpenSSH to buffer larger (256-byte) responses without limits. This leads to excessive memory consumption and CPU overload, potentially causing system crashes.
Although the impact might be less severe than the MiTM flaw, its pre-authentication exploitability poses a high risk of service disruption.
Impact of OpenSSH flaws and DoS attacks
The consequences of exploiting these OpenSSH flaws are severe. The MiTM vulnerability allows attackers complete control over SSH sessions, leading to data breaches and compromised systems. DoS attacks, on the other hand, can render SSH servers unavailable, disrupting critical services.
Security Updates and Mitigation Strategies
OpenSSH version 9.9p2 addresses both vulnerabilities. Immediate updates are strongly recommended. Additionally, disabling the VerifyHostKeyDNS option unless absolutely necessary and relying on manual key fingerprint verification are crucial mitigation steps. For DoS attacks, administrators should implement strict connection rate limits and monitor SSH traffic for suspicious activity.
More technical details can be found on Qualys here.
