CVE-2025-14821
Published: 07 April 2026
Summary
CVE-2025-14821 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Libssh (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the libssh flaw, directly preventing exploitation via patched versions that block automatic loading from the untrusted C:\etc directory.
Establishes and enforces secure configuration settings for libssh to eliminate the insecure default behavior of loading SSH configs from writable C:\etc on Windows.
Restricts logical access for changes to system configurations, preventing unprivileged local users from creating or modifying SSH files in the vulnerable C:\etc directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables local config poisoning for SSH MITM attacks and security downgrades via untrusted search path.
NVD Description
A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an…
more
insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.
Deeper analysisAI
CVE-2025-14821 is a vulnerability in the libssh library that stems from an insecure default configuration on Windows systems, where the library automatically loads SSH configuration files from the C:\etc directory. This directory can be created and modified by unprivileged local users, enabling CWE-427 (Untrusted Search Path) issues. The flaw allows local man-in-the-middle attacks, security downgrades of SSH connections, and manipulation of trusted host information, posing risks to the confidentiality, integrity, and availability of SSH communications. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-07.
A local attacker with low privileges can exploit this vulnerability by creating or modifying configuration files in C:\etc to intercept SSH sessions, force downgrades to weaker security protocols, or alter trusted host data. Successful exploitation enables full compromise of SSH connection security, potentially leading to unauthorized access, data interception, or session hijacking on affected Windows systems using vulnerable libssh versions.
Red Hat advisories, including RHSA-2026:7067 and the CVE details at access.redhat.com, along with libssh's security releases for versions 0.12.0 and 0.11.4 documented at libssh.org, recommend updating to patched versions of libssh. These releases address the configuration loading issue, preventing automatic ingestion of untrusted files from C:\etc on Windows. Security practitioners should verify deployments, apply patches promptly, and review SSH configurations to mitigate local privilege abuse risks.
Details
- CWE(s)