Security researchers at Qualys have discovered two vulnerabilities in OpenSSH, the widely-used secure networking tool for Linux and BSD systems. The flaws could allow attackers to intercept communications and cause system outages.
The first vulnerability (CVE-2025-26465) affects OpenSSH clients versions 6.8p1 through 9.9p1. It enables attackers to impersonate legitimate servers and intercept SSH sessions when the VerifyHostKeyDNS option is enabled. While this setting is disabled by default in most cases, it was active by default in FreeBSD systems between September 2013 and March 2023.
The second flaw (CVE-2025-26466) impacts both clients and servers running OpenSSH versions 9.5p1 to 9.9p1. Attackers can exploit this vulnerability to trigger denial-of-service conditions by exhausting system memory and CPU resources before authentication occurs.
"If an attacker exploits the man-in-the-middle vulnerability, they could intercept credentials, manipulate sensitive data, and move laterally across critical servers," explained Saeed Abbasi from Qualys. The attack works by overwhelming the client's memory through excessive pings and manipulating server host keys.
The vulnerabilities have been patched in OpenSSH version 9.9p2. System administrators are advised to upgrade their OpenSSH installations as soon as possible. For additional protection, users can disable VerifyHostKeyDNS and adjust settings like LoginGraceTime and MaxStartups to prevent exploitation.
This discovery follows another major OpenSSH vulnerability found by Qualys in July 2024 that affected millions of internet-exposed servers. Given OpenSSH's critical role in remote system administration, prompt patching is recommended to maintain security.