The Qualys Threat Research Unit (TRU) revealed two security flaws in OpenSSH that could enable attackers to intercept network traffic and disrupt services. The vulnerabilities affect multiple versions of the widely-used secure networking tool.
The first vulnerability (CVE-2025-26465) allows attackers to perform man-in-the-middle attacks by impersonating legitimate servers when clients attempt connections. This flaw exists in OpenSSH versions 6.8p1 through 9.9p1 and requires the VerifyHostKeyDNS option to be enabled. While this setting is disabled by default in most implementations, FreeBSD systems used an enabled configuration between September 2013 and March 2023.
The second vulnerability (CVE-2025-26466) enables denial-of-service attacks against both OpenSSH clients and servers running versions 9.5p1 through 9.9p1. Attackers can exploit memory handling issues to cause system crashes and prevent administrators from managing servers.
"If compromised, hackers could view or manipulate sensitive data, move across multiple critical servers laterally, and exfiltrate valuable information such as database credentials," explained Saeed Abbasi, manager of product at Qualys TRU.
OpenSSH maintainers have released version 9.9p2 to patch both vulnerabilities. Users can also mitigate risks by disabling VerifyHostKeyDNS and implementing LoginGraceTime, MaxStartups and PerSourcePenalties configurations on servers.
The discovery follows Qualys TRU's previous finding of the regreSSHion vulnerability in July 2024, which potentially affected over 14 million internet-exposed OpenSSH servers.
OpenSSH remains a critical component for secure communications across Unix-like operating systems including Linux and macOS. The widespread deployment of OpenSSH makes these vulnerabilities particularly concerning for system administrators and security professionals.