According to the Qualys Threat Research Unit (TRU), the MiTM vulnerability tracked as CVE-2025-26465 was introduced in December 2014, just before the release of OpenSSH 6.8p1. In other words, it was discovered more than a decade later.
The bug affects OpenSSH clients with the VerifyHostKeyDNS option enabled and allows cybercriminals to deliver MiTM attacks.
“The attack against the OpenSSH client (CVE-2025-26465) succeeds regardless of whether the VerifyHostKeyDNS option is set to “yes” or “ask” (its default is “no”), requires no user interaction, and does not depend on the existence of an SSHFP resource record (an SSH fingerprint) in DNS,” – Qualys TRU.
If VerifyHostKeyDNS is enabled, incorrect error handling allows an attacker to trigger an Out of Memory error during verification; as a result, the client may accept a malicious key instead of the legitimate server’s key.
After intercepting an SSH connection and providing a SSH key with excessive certificate extensions, an attacker can exhaust the client’s memory, circumvent host verification, and hijack the session with the purpose to steal credentials, inject commands, or exfiltrate data.
Even though in OpenSSH the VerifyHostKeyDNS option is disabled by default, in FreeBSD, it was enabled by default from September 2013 and until March 2023.
The second vulnerability, CVE-2025-26466, enabling a pre-authentication denial-of-service attack first appeared in the OpenSSH version 9.5p1 released in August 2023. The issue occurs due to unlimited memory allocation during key exchange, which results in uncontrolled resource consumption.
To exploit this vulnerability, an unauthorized attacker can repeatedly send small (16 bytes) ping messages, thus, forcing OpenSSH to buffer 256-byte responses.
During the key exchange, these responses are stored indefinitely, which causes excessive memory consumption and CPU overload, which can result in a system crash.
The OpenSSH developers have already released version 9.9p2 where both vulnerabilities are fixed and strongly advise all users to upgrade as soon as possible. It is also recommended to disable VerifyHostKeyDNS if this feature isn’t essential.
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →