FreSSH bugs undiscovered for years threaten OpenSSH security

Researchers can disclose two brand-new vulnerabilities in OpenSSH now that patches have been released.

Qualys discovered the bugs in January, per its disclosure timeline. These vulnerabilities allow miscreants to perform machine-in-the-middle (MitM) attacks on the OpenSSH client and pre-authentication denial-of-service (DoS) attacks.

Patches for CVE-2025-26465 and CVE-2025-26466 were released this morning. Although their respective severity scores (6.8 and 5.9) don't necessarily scream "patch me right away" – it certainly doesn't seem as bad as last year's regreSSHion issue – they're both likely to raise some degree of concern given the tool's prominence.

OpenSSH is the open source implementation of the SSH protocol, which underpins many of the encrypted remote connections across Windows, Linux, and macOS, as well as secure file transfers. High-profile organizations using the client include Facebook, Morgan Stanley, NetApp, Netflix, and Uber.

The MitM bug (CVE-2025-26465) is only exploitable when the VerifyHostKeyDNS option is set to "yes" or "ask." The default is now "no," but between September 2013 and March 2023, it was enabled by default on FreeBSD. The potential damage may raise eyebrows among admins who rely on the tool for day-to-day troubleshooting.

If an attacker exploits the vulnerability, they could intercept or manipulate data transferred over what users expect to be a secure, encrypted channel.

The vulnerability allows an attacker to impersonate the server to which a vulnerable OpenSSH client usually connects by bypassing server identity checks, leading to MitM.

Saeed Abbasi, product manager at Qualys's Threat Research Unit, said: "SSH sessions can be a prime target for attackers aiming to intercept credentials or hijack sessions. If compromised, hackers could view or manipulate sensitive data, move across multiple critical servers laterally, and exfiltrate valuable information such as database credentials.

"Such breaches can lead to reputational damage, violate compliance mandates e.g. GDPR, HIPAA, PCI-DSS, and potentially disrupt critical operations by forcing system downtime to contain the threat."

The DoS vulnerability (CVE-2025-26466) affects both the OpenSSH client and server, and could lead to prolonged outages preventing admins from performing maintenance on key servers, Abbasi added. It's caused by an asymmetric resource consumption of both memory and CPU.

Qualys's technical advisory additionally notes that the MitM bug was introduced to OpenSSH over a decade ago in December 2014, shortly before version 6.8p1 was released. The DoS bug was introduced in August 2023, not long before version 9.5p1.

OpenSSH today released version 9.9p2, which addresses both vulnerabilities and thanked Qualys for the report.

"Both vulnerabilities were discovered and demonstrated to be exploitable by the Qualys Security Advisory team. We thank them for their detailed review of OpenSSH," they said in the patch's release notes.

"Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project."

Qualys's technical advisory also includes a proof-of-concept (PoC) exploit for both vulnerabilities. Typically, these PoCs aren't released until a few weeks after the patches to allow admins time to apply the patches. Severe or not, the fact it was made available at the same time as the patch suggests admins should update at the earliest available opportunity. ®