Critical OpenSSH Vulnerabilities Expose Systems to MitM and DoS Attacks

OpenSSH is a Secure Remote Administration Tool for the Linux and Unix-based systems. It has been identified with two high threats exposing the server and client-side to MitM and Denial of Service attacks, namely CVE-2025-26465 and CVE-2025-26466, which were discovered by security researchers working for Qualys. Unsurprisingly, they did this research a little early and patched OpenSSH version 9.9p2.

Both can allow attackers to impersonate legitimate SSH servers, seize sessions, steal credentials, and crash the operating systems. The organizations that leverage OpenSSH for remote management have promptly responded to patch their systems and follow security best practices.

CVE-2025-26465 – Man-in-the-Middle (MitM) Attack

This vulnerability impacts the OpenSSH client connected to the VerifyHostKeyDNS function. This function is enabled to verify SSH server keys against DNS records automatically.

The flaw was introduced in OpenSSH version 6.8p1 introduced in December 2014, completely unaffected for more than 10 years and affected all variants from 6.8p1 to 9.9p1. This allows an attacker to impersonate a legitimate SSH server and redirect the client session without user interaction.

This flaw results from an incorrectness in the logic of handling allocations. When this field is enabled, the SSH client should verify the server’s key before continuing to connect.

Also Read: What Is SSH (Secure Shell)? How does the SSH Protocol work? [Guide]

However, because of the flaw, an adversary can force out-of-memory errors and trick the client into accepting the key of a rogue server. Further, since SSH’s host verification is bypassed, the adroit intruder can eavesdrop on credential exchanges, alter session data, and exfiltrate sensitive information.

Although it is disabled by default in OpenSSH, between 2013 and 2023, it was enabled by default on FreeBSD and could potentially affect countless systems. System administrators who enable it, either by manual means or because they are enabled by default from their distribution, are particularly in danger and should disable it unless absolutely indispensable.

CVE-2025-26466 – Denial-of-Service (DoS) Attack

The second vulnerability, CVE-2025-26466, is a pre-authentication denial-of-service (DoS) flaw that applies to both OpenSSH clients and servers.

In this case, unrestricted memory allocation is claimed to have occurred during part of the SSH-linking handshake; it has since become a known issue and affected versions 9.5p1 through 9.9p1. An attacker could induce depletion of system resources, leading to crashes and service disruptions.

Also Read: Passwordless SSH: The Future of Secure Remote Access and Automation

An adversary utilizing this vulnerability can send an SSH2_MSG_PING packet to OpenSSH with a very small payload (2 bytes), thereby forcing OpenSSH to send back a relatively gigantic reply, of some 256 bytes per request.

These replies get allocated space with no temporal restrictions, which means that a malicious actor could simply inundate the system with successive messages, hence consuming memory and CPU at an indefensibly high rate of speed, leading to service outages.

Because this type of attack occurs prior to user authentication, it requires little more than ready access to any publicly accessible SSH servers for attackers to mount.

Also Read: Man in the Middle (MITM) Attacks – How do you Detect and Prevent it?

Although exploiting this flaw may not cause immediate outbreaks similar to a MiTM attack, they pose a grave threat to systems administrators. Besides impacting service availability, repeated outbreak projects can lock operations users out, deny an administrator of the management state, and disrupt activities in time-critical environments.

Ana Lu_, an application server-side mitigation such as LoginGraceTime and MaxStartups could limit the effect, but the same would run real-time risk regarding the OpenSSH managing their businesses.

Potential Consequences of Exploitation

Upon successful exploitation of the aforementioned CVE-2025-26465 MitM activities, there would arise credential theft, session hijacking, and unauthorized command execution, allowing an attacker free rein to characterize himself as a defender, using covert means to penetrate systems.

Worse yet, this will breach some SSH sessions and compromise sensitive data as well as espionage and ransomware attacks. Regulatory compliance like GDPR, HIPAA, and PCI-DSS may force affected organizations to face severe penalties, and the loss of sensitive data may be disastrous.

The other one, CVE-2025-26466, would cause downtime, disruption, and financial disruption from possibly short to long outages due to Denial of Service. As SSH is used for most cloud, DevOps, and IT infrastructure management, an attacker would kick the organization’s hammer down, rendering it incapable of maintaining, updating, or restoring any critical service. Thus, a really high risk is posed to the public-facing SSH server, especially within an enterprise environment.

Mitigation and Security Recommendations

The open-SSH version should be quickly upgraded to 9.9p2 to address both vulnerabilities and reduce the vulnerability window to further exploitation. However, attention should be paid to patching all other SSH clients and servers across mission-critical or public-facing systems.

For one, VerifyHostKeyDNS should be disabled unless there is an absolute need for its activation. The safest approach, however, continues to remain to do manual key verification, noting that automatic DNS-based ones have fallen prey to unknown attacks.

Also, administrators should conduct audits on their SSH configurations to check the status of this feature and ensure any trust buildings they do not necessitate are cleared.

To minimize the risk of such vulnerabilities, the administrators should enforce certain rate limitations of connections using LoginGraceTime and MaxStartups parameters. In summary, they would need to limit the number of unauthenticated connections so potential attackers would be hard-pressed to overwhelm the system with requests.

Besides that, monitoring the SSH traffic for downright unusual patterns with the help of IDSs could aide in spotting potential exploits earlier, thus halting further attacks. .

Prevent Man-in-the-Middle and DoS Attacks with SiteLock Security

The uncovering of CVE-2025-26465 and CVE-2025-26466 actuates how significant preemptive cybersecurity must be with OpenSSH for remote administration. Though OpenSSH 9.9p2 restricts any dangers therein, patching is just not enough.

Businesses must embrace all-encompassing security arrangements to comply with their framework against cyber threats.

With Certera’s SiteLock security, you get advanced threat protection that goes beyond basic SSH security updates. SiteLock consistently monitors, detects, and prevents malicious attacks so your servers stay protected from MitM attacks, DoS attempts, malware injections, and other cybersecurity threats.