CVE-2025-14942
Published: 06 January 2026
Summary
CVE-2025-14942 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wolfssh Wolfssh. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-14942 is a critical vulnerability in the key exchange state machine of wolfSSH, an open-source SSH implementation. Attackers can manipulate the state machine to leak a client's password in plaintext, trick the client into sending a bogus signature, or cause the client to skip user authentication entirely. This flaw affects wolfSSH client applications in versions 1.4.21 and earlier; the same defect exists in server applications, though no specific server-side attacks are known.
The vulnerability is exploitable remotely over the network with low complexity, requiring no privileges or user interaction (CVSSv3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An unauthenticated attacker impersonating a server can target connecting wolfSSH clients, achieving password disclosure, authentication bypass, or integrity violations through invalid signatures. This enables full compromise of client sessions, potentially leading to unauthorized access on the target system.
Mitigation requires updating wolfSSH client and server applications or applying the fix from the referenced pull request at https://github.com/wolfSSL/wolfssh/pull/855. Affected users should also rotate credentials due to potential plaintext leakage. The issue, reported by Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis, is tied to CWE-287 (Improper Authentication).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0990
Vulnerability details
wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21…
more
and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln directly causes plaintext password disclosure (T1552 Unsecured Credentials) and allows skipping authentication (T1078 Valid Accounts) via malicious server impersonation during SSH key exchange.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and remediation of flaws such as the wolfSSH key exchange state machine vulnerability through patching or updates.
Ensures cryptographic key establishment processes are robust, mitigating manipulation of the SSH key exchange state machine that leads to password leaks or authentication bypass.
Mandates management and rotation of authenticators like passwords, directly addressing the plaintext leakage risk from this vulnerability.