CVE-2025-26465 and CVE-2025-26466 are recent vulnerabilities in OpenSSH that expose systems to man-in-the-middle (MitM) and denial-of-service (DoS) attacks.
1. CVE-2025-26465 MiTM (Man-in-the-Middle) attack
Effected OpenSSH version : 6.8p1 to 9.9p1 (inclusive)
Reported on : February 18, 2025
What is CVE-2025-26465 vulnerability?
A logic error in ssh(1) allowed an on-path attacker to impersonate any server when the VerifyHostKeyDNS option is enabled. (which is off by default but was enabled in FreeBSD for 10 years).
Severity: HIGH (but only affects specific configurations)
If exploited, an attacker can steal SSH credentials and access remote systems. However, VerifyHostKeyDNS is off by default.
How to mitigate CVE-2025-26465 MiTM (Man-in-the-Middle) ?
a. Upgrade to OpenSSH 9.9p2 (fixes both vulnerabilities):
The OpenSSH maintainers have released version 9.9p2 on February 18, 2025 (https://www.openssh.com/releasenotes.html), which addresses these vulnerabilities. Upgrading to this version or later is the most effective way to mitigate the issue.
b. Disable VerifyHostKeyDNS.
2. CVE-2025-26466 : DoS attack
Effected OpenSSH version : 6.8p1 to 9.9p1 (inclusive)
Reported on : February 18, 2025
What is CVE-2025-26466 ?
sshd(8) was subject to a pre-authentication memory/CPU denial-of-service attack using SSH2_MSG_PING packets. This attack may be mitigated using the existing PerSourcePenalties option.
Severity: Any vulnerable OpenSSH server can be attacked remotely, affecting availability.
Impact:
Allows an attacker to consume massive memory & CPU resources, causing SSH servers and clients to slow down or crash.
Exploited remotely without authentication (pre-auth attack).
How to mitigate CVE-2025-26466 (DoS)?
a. Upgrade to OpenSSH 9.9p2 (fixes both vulnerabilities):
The OpenSSH maintainers have released version 9.9p2 on February 18, 2025 (https://www.openssh.com/releasenotes.html), which addresses these vulnerabilities. Upgrading to this version or later is the most effective way to mitigate the issue.
b. Limit connections (e.g., MaxStartups, LoginGraceTime) and restrict IP addresses using tools like iptables or Fail2Ban etc.
=====================
How to check VerifyHostKeyDNS is enabled or not on OpenSSH servers?
1. User-Specific Configuration:
Open ~/.ssh/config and look for the VerifyHostKeyDNS setting.
If set to yes , it’s enabled.
If absent or set to no, it’s disabled.
grep -i verifyhostkeydns ~/.ssh/config
ssh -G example.com | grep -i verifyhostkeydns
2. Global Configuration:
Open /etc/ssh/ssh_config and check for the VerifyHostKeyDNS setting.
Similar to the user-specific configuration, its value determines whether it’s enabled or disabled.
grep -i verifyhostkeydns /etc/ssh/ssh_config
ssh -G example.com | grep -i verifyhostkeydns
=====================
For more information, please refer to the release notes and the report from the Qualys Security Advisory Team who discovered the bug.
Reference :
Ubuntu : https://ubuntu.com/security/CVE-2025-26465 & https://ubuntu.com/security/CVE-2025-26466
Debian: https://security-tracker.debian.org/tracker/source-package/openssh
RHEL : https://access.redhat.com/security/cve/cve-2025-26465 & https://access.redhat.com/security/cve/cve-2025-26466
SUSE : https://www.suse.com/security/cve/CVE-2025-26465.html & https://www.suse.com/security/cve/CVE-2025-26466.html