According to the Qualys Threat Research Unit (TRU), the MiTM vulnerability tracked as CVE-2025-26465 was introduced in December 2014, just before the release of OpenSSH 6.8p1. In other words, it was discovered more than a decade later.
The bug affects OpenSSH clients with the VerifyHostKeyDNS option enabled and allows cybercriminals to deliver MiTM attacks.
“The attack against the OpenSSH client (CVE-2025-26465) succeeds regardless of whether the VerifyHostKeyDNS option is set to “yes” or “ask” (its default is “no”), requires no user interaction, and does not depend on the existence of an SSHFP resource record (an SSH fingerprint) in DNS,” – Qualys TRU.
If VerifyHostKeyDNS is enabled, incorrect error handling allows an attacker to trigger an Out of Memory error during verification; as a result, the client may accept a malicious key instead of the legitimate server’s key.
After intercepting an SSH connection and providing a SSH key with excessive certificate extensions, an attacker can exhaust the client’s memory, circumvent host verification, and hijack the session with the purpose to steal credentials, inject commands, or exfiltrate data.
Even though in OpenSSH the VerifyHostKeyDNS option is disabled by default, in FreeBSD, it was enabled by default from September 2013 and until March 2023.
The second vulnerability, CVE-2025-26466, enabling a pre-authentication denial-of-service attack first appeared in the OpenSSH version 9.5p1 released in August 2023. The issue occurs due to unlimited memory allocation during key exchange, which results in uncontrolled resource consumption.
To exploit this vulnerability, an unauthorized attacker can repeatedly send small (16 bytes) ping messages, thus, forcing OpenSSH to buffer 256-byte responses.
During the key exchange, these responses are stored indefinitely, which causes excessive memory consumption and CPU overload, which can result in a system crash.
The OpenSSH developers have already released version 9.9p2 where both vulnerabilities are fixed and strongly advise all users to upgrade as soon as possible. It is also recommended to disable VerifyHostKeyDNS if this feature isn’t essential.
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →