Cyber Resilience

CVE-2025-14821

High

Published: 07 April 2026

Published
07 April 2026
Modified
25 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14821 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Libssh (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14821 is a vulnerability in the libssh library that stems from an insecure default configuration on Windows systems, where the library automatically loads SSH configuration files from the C:\etc directory. This directory can be created and modified by unprivileged local users, enabling CWE-427 (Untrusted Search Path) issues. The flaw allows local man-in-the-middle attacks, security downgrades of SSH connections, and manipulation of trusted host information, posing risks to the confidentiality, integrity, and availability of SSH communications. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-07.

A local attacker with low privileges can exploit this vulnerability by creating or modifying configuration files in C:\etc to intercept SSH sessions, force downgrades to weaker security protocols, or alter trusted host data. Successful exploitation enables full compromise of SSH connection security, potentially leading to unauthorized access, data interception, or session hijacking on affected Windows systems using vulnerable libssh versions.

Red Hat advisories, including RHSA-2026:7067 and the CVE details at access.redhat.com, along with libssh's security releases for versions 0.12.0 and 0.11.4 documented at libssh.org, recommend updating to patched versions of libssh. These releases address the configuration loading issue, preventing automatic ingestion of untrusted files from C:\etc on Windows. Security practitioners should verify deployments, apply patches promptly, and review SSH configurations to mitigate local privilege abuse risks.

EU & UK References

Vulnerability details

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an…

more

insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Vulnerability enables local config poisoning for SSH MITM attacks and security downgrades via untrusted search path.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-9493Shared CWE-427
CVE-2024-9495Shared CWE-427
CVE-2026-24502Shared CWE-427
CVE-2024-57963Shared CWE-427
CVE-2026-23741Shared CWE-427
CVE-2025-33229Shared CWE-427
CVE-2025-21127Shared CWE-427
CVE-2026-22619Shared CWE-427
CVE-2025-48503Shared CWE-427
CVE-2026-34054Shared CWE-427

Affected Assets

Libssh
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the libssh flaw, directly preventing exploitation via patched versions that block automatic loading from the untrusted C:\etc directory.

prevent

Establishes and enforces secure configuration settings for libssh to eliminate the insecure default behavior of loading SSH configs from writable C:\etc on Windows.

prevent

Restricts logical access for changes to system configurations, preventing unprivileged local users from creating or modifying SSH files in the vulnerable C:\etc directory.

References