Two security vulnerabilities have been identified in OpenSSH affecting both the client and server. These flaws, tracked as CVE-2025-26465 and CVE-2025-26466, enable attackers to impersonate servers and cause denial-of-service conditions. Both vulnerabilities have been present for extended periods, with mitigations available.
CVE-2025-26465: MITM Attack on OpenSSH Client
CVE-2025-26465 affects the OpenSSH client and enables a machine-in-the-middle (MITM) attack if the VerifyHostKeyDNS option is enabled. This option is disabled by default but was previously enabled on FreeBSD and other systems.
When vulnerable clients connect to a server, an attacker positioned between the client and server can bypass the client’s identity verification, effectively impersonating the server. This flaw exists regardless of whether VerifyHostKeyDNS is set to “yes” or “ask”, and the attack succeeds if these settings are used instead of the default “no”. This vulnerability has been present since December 2014.
CVE-2025-26466: Denial-of-Service Attack
CVE-2025-26466 targets both OpenSSH client and server, triggering a denial-of-service (DoS) attack due to asymmetric resource consumption. The attack exploits memory and CPU usage during the pre-authentication phase. This vulnerability has been present since August 2023.
While no fix is available for the client-side vulnerability, server-side mitigations can be applied using existing OpenSSH configurations. The parameters LoginGraceTime, MaxStartups, and PerSourcePenalties (introduced in OpenSSH 9.8p1) can help limit the attack’s impact.
Affected Versions
- CVE-2025-26465: This vulnerability affects OpenSSH versions from 6.8p1 to 9.9p1, with the issue dating back to December 2014.
- CVE-2025-26466: OpenSSH versions 9.5p1 through 9.9p1 are impacted by this flaw, which first appeared in August 2023. This means that a significant number of systems across nearly a decade of OpenSSH releases may be exposed to the risk.
Mitigation
- For CVE-2025-26465, users should review their configurations to ensure that the VerifyHostKeyDNS option is set to “no”.
- For CVE-2025-26466, administrators should apply server-side mitigations using the recommended configuration options to mitigate the DoS risk.