Qualys researchers have discovered two critical vulnerabilities in OpenSSH that open servers to man-in-the-middle and DoS attacks.
Qualys reports two vulnerabilities in the open-source server program OpenSSH. One allows a man-in-the-middle (MitM) attack in which authentication is completely bypassed. The other vulnerability can cause both the client and server to crash through a denial-of-service (DoS) attack with asymmetric consumption of memory and CPU.
According to Qualys, these are two critical vulnerabilities and OpenSSH should be patched as soon as possible.
MitM or DOS
The first vulnerability (CVE-2025-26465) affects the OpenSSH client when the VerifyHostKeyDNS option is enabled. By default, this option is off, but in some systems it is enabled. If a client connects to a server and an attacker intervenes, the attacker can impersonate the legitimate server. This happens without the client correctly verifying the server’s identity. The attack works when VerifyHostKeyDNS is set to yes as ask, and requires no further interaction.
The cause lies in an error in handling errors in the code that verifies server identity. By manipulating the client’s memory consumption, an attacker can trigger a specific error message, skipping the verification step entirely.
CVE-2025-26466 allows both the OpenSSH client and server to be bogged down by a DoS attack. This is done via an asymmetric consumption of memory. An attacker can send a large number of SSH2_MSG_PING packets, causing the victim to buffer a huge amount of responses without sending them directly. This leads to unlimited memory allocation and subsequent CPU-intensive processing when the buffers are processed.
Clients have no built-in protection against this attack. Moreover, the attack can also be used to enable the MitM attack mentioned earlier.
Déjà vu
This article reads like déjà vu to those who remember last summer’s OpenSSH vulnerability. Back then, too, it was Qualys that sounded the alarm. Because of the hundreds of thousands of installations and millions of instances that rely on OpenSSH, vulnerabilities in the program can quickly create a large number of victims.
To complete the comparison, just like last summer, these are vulnerabilities that had been undetected in OpenSSH’s code for years. The VerifyHostKeyDNS vulnerability is said to have existed for at least a decade. The DOS vulnerability arose more recently in August 2023.
OpenSSH has since rolled out a security update. Administrators are advised to update their systems as soon as possible and carefully check VerifyHostKeyDNS settings, as well as DoS mitigation configurations.