How can I protect myself from attacks carried out through dangerous vulnerabilities identified in OpenSSH?

Cybersecurity researchers have identified two serious vulnerabilities in OpenSSH, a widely used protocol for secure network communication. These vulnerabilities, discovered by specialists at Qualys Threat Research Unit (TRU), have been registered as CVE-2025-26465 and CVE-2025-26466.

These flaws allow attackers to target both clients and servers, intercept SSH sessions (Man-in-the-Middle, MiTM), and execute Denial of Service (DoS) attacks without requiring authentication.

Since OpenSSH is an essential part of corporate infrastructure, these vulnerabilities pose a significant threat to data integrity, system stability, and compliance with security regulations such as GDPR, HIPAA, and PCI-DSS.

CVE-2025-26465: Man-in-the-Middle (MiTM) Attack

This vulnerability affects OpenSSH clients running versions 6.8p1 to 9.9p1 and occurs when the VerifyHostKeyDNS option is enabled.

Key Risks:

• Although this option is disabled by default, it was historically enabled in FreeBSD and some other configurations, expanding the attack surface.
• The vulnerability allows attackers to impersonate legitimate servers, bypassing host key verification even when DNS SSHFP records are absent.
• The attack is completely silent, requiring no user interaction, making it possible for attackers to intercept SSH sessions, steal credentials, alter data, and gain unauthorized access to internal networks.

How Long Has This Vulnerability Existed?

This flaw has been present in OpenSSH since December 2014, meaning it has remained undetected for 11 years. This highlights the critical need for regular security audits and configuration reviews.

CVE-2025-26466: Pre-Authentication DoS Attack

This vulnerability affects OpenSSH versions 9.5p1 to 9.9p1.

Key Risks:

• Attackers can overload server resources, causing asymmetric CPU/memory consumption and rendering the system unusable.
• By flooding the system with SSH2_MSG_PING packets, attackers can exhaust server memory and processing power, leading to a denial of service (DoS).
• Administrators may be completely locked out of the server, potentially disrupting critical infrastructure.

Are There Any Protective Measures?

While server-side defenses like LoginGraceTime and PerSourcePenalties exist, there are no built-in client-side protections.

As a result, immediate updating of OpenSSH is the only effective solution.

How to Mitigate These Vulnerabilities?

✅ Upgrade OpenSSH to version 9.9p2, which addresses both vulnerabilities.

✅ Disable VerifyHostKeyDNS (if enabled) and enforce strict host key verification using known_hosts.

✅ Enhance server security settings:

• Reduce LoginGraceTime to minimize open session time.
• Limit simultaneous connections using MaxStartups.
• Enable PerSourcePenalties to automatically block suspicious IP addresses.

✅ Monitor network activity and analyze abnormal SSH connection patterns.

✅ Regularly update SSH keys and remove unused ones to improve security.

The CVE-2025-26465 and CVE-2025-26466 vulnerabilities pose a severe risk to OpenSSH security. A MiTM attack could result in data theft, while a DoS attack could render servers inaccessible.

Cybercriminals could exploit these vulnerabilities for ransomware attacks or to infiltrate corporate networks.

Therefore, all OpenSSH users and server administrators must take immediate security measures and apply the necessary updates.

🛡 Do not neglect cybersecurity! Secure your SSH servers, review configurations, and implement continuous monitoring.