According to the Qualys Threat Research Unit (TRU), the MiTM vulnerability tracked as CVE-2025-26465 was introduced in December 2014, just before the release of OpenSSH 6.8p1. In other words, it was discovered more than a decade later.
The bug affects OpenSSH clients with the VerifyHostKeyDNS option enabled and allows cybercriminals to deliver MiTM attacks.
“The attack against the OpenSSH client (CVE-2025-26465) succeeds regardless of whether the VerifyHostKeyDNS option is set to “yes” or “ask” (its default is “no”), requires no user interaction, and does not depend on the existence of an SSHFP resource record (an SSH fingerprint) in DNS,” – Qualys TRU.
If VerifyHostKeyDNS is enabled, incorrect error handling allows an attacker to trigger an Out of Memory error during verification; as a result, the client may accept a malicious key instead of the legitimate server’s key.
After intercepting an SSH connection and providing a SSH key with excessive certificate extensions, an attacker can exhaust the client’s memory, circumvent host verification, and hijack the session with the purpose to steal credentials, inject commands, or exfiltrate data.
Even though in OpenSSH the VerifyHostKeyDNS option is disabled by default, in FreeBSD, it was enabled by default from September 2013 and until March 2023.
The second vulnerability, CVE-2025-26466, enabling a pre-authentication denial-of-service attack first appeared in the OpenSSH version 9.5p1 released in August 2023. The issue occurs due to unlimited memory allocation during key exchange, which results in uncontrolled resource consumption.
To exploit this vulnerability, an unauthorized attacker can repeatedly send small (16 bytes) ping messages, thus, forcing OpenSSH to buffer 256-byte responses.
During the key exchange, these responses are stored indefinitely, which causes excessive memory consumption and CPU overload, which can result in a system crash.
The OpenSSH developers have already released version 9.9p2 where both vulnerabilities are fixed and strongly advise all users to upgrade as soon as possible. It is also recommended to disable VerifyHostKeyDNS if this feature isn’t essential.
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →