OpenSSH has released security updates to address two newly discovered vulnerabilities, including a machine-in-the-middle (MiTM) attack and a pre-authentication denial-of-service (DoS) flaw. One of these vulnerabilities, CVE-2025-26465, had been present in OpenSSH for over a decade, exposing countless systems to potential exploitation.
Two Critical Vulnerabilities in OpenSSH
The MiTM vulnerability (CVE-2025-26465) affects OpenSSH clients when the VerifyHostKeyDNS option is enabled. This flaw allows attackers to intercept SSH connections and inject malicious keys, effectively hijacking sessions. An attacker can exploit improper error handling to trick a client into accepting a rogue server’s key by triggering an out-of-memory error during verification. Once compromised, the attacker can steal credentials, inject commands, and exfiltrate sensitive data.
Although VerifyHostKeyDNS is disabled by default in OpenSSH, FreeBSD had it enabled by default from 2013 until 2023, leaving many systems unknowingly exposed.
The second vulnerability, CVE-2025-26466, is a pre-authentication DoS flaw introduced in OpenSSH 9.5p1 (August 2023). The flaw allows attackers to send repeated small ping messages that force OpenSSH to buffer excessive responses, leading to uncontrolled memory allocation and potential system crashes. While not as severe as the MiTM flaw, this vulnerability still poses a high risk of service disruption, particularly for high-availability systems.
OpenSSH Issues Security Fixes
To mitigate these risks, OpenSSH has released version 9.9p2, which patches both vulnerabilities. Users and administrators are strongly urged to update their OpenSSH installations immediately to prevent potential exploitation.
As an additional security measure, administrators should disable VerifyHostKeyDNS unless absolutely necessary and instead rely on manual SSH key fingerprint verification to ensure secure connections. For the DoS flaw, enforcing connection rate limits and monitoring SSH traffic for unusual patterns can help detect and prevent potential attacks before they cause serious disruption.
Given OpenSSH’s widespread use across enterprise and cloud environments, delaying these updates leaves critical systems vulnerable to attacks that could compromise authentication, steal credentials, or disrupt operations.
What SOC Teams Need to Know
Here’s what SOC analysts and incident responders should focus on:
- Prioritize Immediate Patching: OpenSSH 9.9p2 contains fixes for both CVE-2025-26465 and CVE-2025-26466. Ensure all affected systems are updated as soon as possible, particularly high-value assets and internet-facing SSH servers.
- Audit SSH Configurations: Check for instances where
VerifyHostKeyDNSis enabled. Since this setting can be exploited for MiTM attacks, disabling it across all systems is a necessary security measure unless there is a strict operational requirement. - Monitor for Exploitation Attempts: Deploy network monitoring rules to detect large SSH keys with excessive certificate extensions, which could indicate an attempt to exploit the MiTM flaw. Additionally, look for excessive SSH connection requests or unusually high memory usage on OpenSSH servers that could suggest an active DoS attack.
- Apply Rate Limiting and Anomaly Detection: Implement SSH connection rate limits to mitigate potential DoS exploitation. Monitor logs for signs of resource exhaustion or unexpected service crashes that may indicate CVE-2025-26466 exploitation attempts.
- Enhance Logging and Alerting: Ensure SSH authentication logs (
/var/log/auth.logor/var/log/secure) are being forwarded to SIEM solutions for centralized monitoring. Set up alerts for anomalous SSH activity, such as repeated authentication failures, unexpected key exchanges, or changes to host keys. - Verify Key Integrity and Trust Models: Organizations relying on SSH for secure remote access should enforce strict key verification policies, such as manually validating SSH key fingerprints before accepting them, rather than relying on DNS-based verification.
- Coordinate Incident Response Plans: If exploitation is detected, SOC teams should be prepared to isolate compromised hosts, rotate affected credentials, and conduct forensic analysis to determine if an attacker has gained persistence.
With OpenSSH being a critical component in enterprise, cloud, and DevOps environments, SOC teams must take a proactive stance to prevent exploitation and ensure SSH connections remain secure.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
