OpenSSH Vulnerabilities Expose Systems to MitM and DoS Attacks

Credited by Freepik

VTA-004507 – OpenSSH Vulnerabilities Expose Systems to MitM and DoS Attacks

A new set of OpenSSH vulnerabilities, CVE-2025-26465 and CVE-2025-26466, have been discovered, potentially allowing attackers to execute man-in-the-middle (MitM) and denial-of-service (DoS) attacks. These flaws impact OpenSSH clients and servers, making it possible for adversaries to intercept SSH connections or cause service disruptions. These flaws are particularly concerning for systems relying on SSH for secure remote access and automation.

CVE-2025-26465 affects OpenSSH clients that have VerifyHostKeyDNS enabled, which could allow an attacker to impersonate a legitimate SSH server by poisoning DNS responses. This could lead to credential theft or unauthorized access. CVE-2025-26466, on the other hand, is a resource exhaustion vulnerability that can cause excessive CPU and memory usage, resulting in a DoS condition. These issues underscore the need for strict SSH security configurations and timely updates.

To mitigate these risks, users should immediately update to OpenSSH 9.9p2, which contains patches for both vulnerabilities. Additionally, administrators should review their SSH configurations and disable VerifyHostKeyDNS if not explicitly required. Monitoring SSH traffic for anomalies and implementing strict access controls can further reduce the attack surface.

Severity:
Medium

Attack Surface:
Endpoint, Remote Access Service

Tactics:
Credential Access, Impact

Techniques:
T1557 – Adversary-in-the-Middle
T1499 – Endpoint Denial of Service

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/67b4e5682629fc2b2c97d0b3

References:
1. https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466

SuperPRO’s Threat Countermeasures Procedures: 
1. Update OpenSSH immediately to version 9.9p2 or later to patch the vulnerabilities.
2. Disable VerifyHostKeyDNS in SSH configurations unless explicitly required.
3. Enforce strict SSH access controls, such as allowing only trusted IPs and using key-based authentication.
4. Monitor SSH traffic for anomalies, such as unexpected connections or high resource usage.
5. Enable logging and alerting to detect and respond to potential exploitation attempts.
6. Implement network segmentation to limit SSH access to only necessary systems.
7. Use Multi-Factor Authentication (MFA) for additional security on SSH access where possible.

Contributed by: Tasneem