OpenSSH vulnerable to man-in-the-middle and DoS attacks

Attacks can completely bypass ID checks

Researchers have identified weaknesses in OpenSSH enabling attackers to impersonate servers and deny service.

Researchers from Qualys have released a security advisory related to two vulnerabilities in the OpenSSH client and server. Mitigations are available for both.

The first flaw, CVE-2025-26465, in a man-in-the-middle type attack while the second, CVE-2025-26466, is a denial-of-service attack.

The OpenSSH client is vulnerable to CVE-2025-26465 - which the researchers call a “machine-in-the-middle attack” - if the VerifyHostKeyDNS option is enabled (it is disabled by default):

"When a vulnerable client connects to a server, an active machine-in-the-middle can impersonate the server by completely bypassing the client's checks of the server's identity.”

The attack succeeds whether the VerifyHostKeyDNS option is set to “yes” or “ask,” instead of “no.” While it is “no” by default, it was enabled by default on FreeBSD and other projects in the past, and those running OpenSSH are urged to check their configurations immediately.

The flaw has been present in OpenSSH since December 2014.

CVE-2025-26466 is an attack against the OpenSSH client and server, present since August 2023. It is a pre-authentication denial-of-service attack: an asymmetric resource consumption of both memory and CPU

Although no fix is available on the client side, the attack can be “easily” mitigated on the server side using existing mechanisms: LoginGraceTime, MaxStartups and, in OpenSSH 9.8p1 and newer, PerSourcePenalties.