Qualys TRU Discovers Two New Vulnerabilities in OpenSSH (CVE-2025-26465 & CVE-2025-26466)
CVE numbers = CVE-2025-26465 and CVE-2025-26466
The Qualys Threat Research Unit (TRU) has discovered two vulnerabilities in OpenSSH. The first, identified as CVE-2025-26465, enables an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is turned on. The second, CVE-2025-26466, impacts both the OpenSSH client and server, allowing a pre-authentication denial-of-service attack.
The attack on the OpenSSH client (CVE-2025-26465) is effective whether the VerifyHostKeyDNS option is set to “yes” or “ask” (defaulting to “no”), requiring no user interaction and functioning independently of an SSHFP resource record in DNS. VerifyHostKeyDNS is a configuration option in the OpenSSH client that allows the SSH client to verify a server’s host key using DNS records, specifically SSHFP records. This vulnerability was introduced in December 2014, just before the release of OpenSSH 6.8p1. While VerifyHostKeyDNS is disabled by default, it was enabled by default on FreeBSD from September 2013 to March 2023.
The OpenSSH client and server are also vulnerable (CVE-2025-26466) to a pre-authentication denial-of-service (DoS) attack that causes excessive memory and CPU consumption. This issue was introduced in August 2023, shortly before the release of OpenSSH 9.5p1. On the server side, mitigation is possible using existing OpenSSH mechanisms, such as LoginGraceTime, MaxStartups, and the more recent PerSourcePenalties.
Resolution = OpenSSH version 9.9p2 addresses these vulnerabilities mentioned above, visit https://www.openssh.com/ for the latest updates.
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.