Researchers from Qualys have uncovered two significant vulnerabilities in OpenSSH, a widely utilized tool for remote server management. These vulnerabilities can be exploited to launch man-in-the-middle attacks and cause Denial of Service (DoS) conditions.
The first vulnerability, identified as CVE-2025-26465, compromises the server key verification process in OpenSSH clients when the VerifyHostKeyDNS option is enabled. This flaw allows attackers to impersonate servers and intercept sensitive communications, posing a serious risk to user credentials and session hijacking. The second vulnerability, CVE-2025-26466, can lead to resource exhaustion on the CPU.
According to Qualys researchers, "SSH sessions can be a prime target for attackers aiming to intercept credentials or hijack sessions." Should attackers gain access through these vulnerabilities, they could manipulate critical data and lateral movement across multiple servers, leading to reputational damage and compliance violations.
The man-in-the-middle vulnerability was introduced into the code in December 2014, affecting all OpenSSH versions from 6.8p1 to 9.9p1. The second vulnerability targets versions from 9.5p1 to 9.9p1. Users are highly recommended to upgrade to OpenSSH 9.9p2 as soon as it is available in their respective distributions.
OpenSSH, maintained by the OpenBSD Project, is known for its robust security standards. However, the recent flaws highlight the risks present in its functionalities. The SSH protocol, while secure, relies on accurate server identity verification through public keys. When a client connects to a server for the first time, it is prompted to trust the server’s key, establishing a record in the known_hosts file.
For automated tasks, however, this trust mechanism can be circumvented using the VerifyHostKeyDNS feature. This allows clients to trust a server’s key through DNS records without human intervention, but it can lead to vulnerabilities if not correctly implemented. The Qualys researchers identified a logic error in the function responsible for validating server keys, which mishandles error values.
Furthermore, the second vulnerability is required to successfully execute an attack by allowing memory allocation that isn’t released, exploiting the first vulnerability in a real-world context. By manipulating pre-authentication processes to allocate excessive memory before serving a rogue server key, attackers can bypass checks and potentially intercept sensitive data.
For details regarding the vulnerabilities, see the Qualys report.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.
