On Tuesday, the developers of OpenSSH, the popular open source implementation of the Secure Shell (SSH) protocol, rolled out patches for two vulnerabilities, one exploitable without user interaction and the other without authentication.
Using a client-server system, OpenSSH provides support for encrypted communication, and is used across modern operating systems on both desktop and mobile devices.
The first of the newly addressed vulnerabilities, tracked as CVE-2025-26465, impacts the OpenSSH client with the VerifyHostKeyDNS option enabled, and can be exploited by a man-in-the-middle (MiTM) attacker to impersonate a server.
The VerifyHostKeyDNS configuration option allows the SSH client to verify a server’s host key using SSHFP records in the DNS.
According to Qualys, which identified and reported CVE-2025-26465, the flaw can be successfully exploited regardless of the VerifyHostKeyDNS option in use, without user interaction, and even if an SSHFP resource record does not exist.
The security defect was introduced in OpenSSH in December 2014. By default, the VerifyHostKeyDNS is disabled, but FreeBSD had it enabled by default between September 2013 and March 2023.
“If an attacker can perform a man-in-the-middle attack via CVE-2025-26465, the client may accept the attacker’s key instead of the legitimate server’s key. This would break the integrity of the SSH connection, enabling potential interception or tampering with the session before the user even realizes it,” Qualys says.
Tracked as CVE-2025-26466, the second bug resolved in OpenSSH on Tuesday impacts both the client and the server, and can be exploited without authentication to cause a denial-of-service (DoS) condition through asymmetric consumption of memory and CPU resources.
According to Qualys, an attacker could repeatedly exploit CVE-2025-26466 to cause prolonged outages, preventing both administrators and end-users from using OpenSSH.
“An enterprise facing this vulnerability could see critical servers become unreachable, interrupting routine operations, and stalling essential maintenance tasks,” Qualys notes.
OpenSSH version 9.9p2 was released on Tuesday with fixes for both vulnerabilities. Users are advised to update their instances as soon as possible.
Related: Ivanti, Fortinet Patch Remote Code Execution Vulnerabilities
Related: Chipmaker Patch Tuesday: Intel, AMD, Nvidia Fix High-Severity Vulnerabilities
Related: SAP Releases 21 Security Patches
Related: Cisco Patches Critical Vulnerabilities in Enterprise Security Product
