According to the Qualys Threat Research Unit (TRU), the MiTM vulnerability tracked as CVE-2025-26465 was introduced in December 2014, just before the release of OpenSSH 6.8p1. In other words, it was discovered more than a decade later.
The bug affects OpenSSH clients with the VerifyHostKeyDNS option enabled and allows cybercriminals to deliver MiTM attacks.
“The attack against the OpenSSH client (CVE-2025-26465) succeeds regardless of whether the VerifyHostKeyDNS option is set to “yes” or “ask” (its default is “no”), requires no user interaction, and does not depend on the existence of an SSHFP resource record (an SSH fingerprint) in DNS,” – Qualys TRU.
If VerifyHostKeyDNS is enabled, incorrect error handling allows an attacker to trigger an Out of Memory error during verification; as a result, the client may accept a malicious key instead of the legitimate server’s key.
After intercepting an SSH connection and providing a SSH key with excessive certificate extensions, an attacker can exhaust the client’s memory, circumvent host verification, and hijack the session with the purpose to steal credentials, inject commands, or exfiltrate data.
Even though in OpenSSH the VerifyHostKeyDNS option is disabled by default, in FreeBSD, it was enabled by default from September 2013 and until March 2023.
The second vulnerability, CVE-2025-26466, enabling a pre-authentication denial-of-service attack first appeared in the OpenSSH version 9.5p1 released in August 2023. The issue occurs due to unlimited memory allocation during key exchange, which results in uncontrolled resource consumption.
To exploit this vulnerability, an unauthorized attacker can repeatedly send small (16 bytes) ping messages, thus, forcing OpenSSH to buffer 256-byte responses.
During the key exchange, these responses are stored indefinitely, which causes excessive memory consumption and CPU overload, which can result in a system crash.
The OpenSSH developers have already released version 9.9p2 where both vulnerabilities are fixed and strongly advise all users to upgrade as soon as possible. It is also recommended to disable VerifyHostKeyDNS if this feature isn’t essential.
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →