Cyber Resilience

CVE-2025-14942

Critical

Published: 06 January 2026

Published
06 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
EPSS Score 0.0035 26.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-14942 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wolfssh Wolfssh. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-14942 is a critical vulnerability in the key exchange state machine of wolfSSH, an open-source SSH implementation. Attackers can manipulate the state machine to leak a client's password in plaintext, trick the client into sending a bogus signature, or cause the client to skip user authentication entirely. This flaw affects wolfSSH client applications in versions 1.4.21 and earlier; the same defect exists in server applications, though no specific server-side attacks are known.

The vulnerability is exploitable remotely over the network with low complexity, requiring no privileges or user interaction (CVSSv3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An unauthenticated attacker impersonating a server can target connecting wolfSSH clients, achieving password disclosure, authentication bypass, or integrity violations through invalid signatures. This enables full compromise of client sessions, potentially leading to unauthorized access on the target system.

Mitigation requires updating wolfSSH client and server applications or applying the fix from the referenced pull request at https://github.com/wolfSSL/wolfssh/pull/855. Affected users should also rotate credentials due to potential plaintext leakage. The issue, reported by Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis, is tied to CWE-287 (Improper Authentication).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21…

more

and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vuln directly causes plaintext password disclosure (T1552 Unsecured Credentials) and allows skipping authentication (T1078 Valid Accounts) via malicious server impersonation during SSH key exchange.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15382Same product: Wolfssh Wolfssh
CVE-2024-12919Shared CWE-287
CVE-2026-3655Shared CWE-287
CVE-2026-0953Shared CWE-287
CVE-2026-5722Shared CWE-287
CVE-2026-30949Shared CWE-287
CVE-2026-23906Shared CWE-287
CVE-2025-67822Shared CWE-287
CVE-2025-1475Shared CWE-287
CVE-2025-22146Shared CWE-287

Affected Assets

wolfssh
wolfssh
≤ 1.4.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and remediation of flaws such as the wolfSSH key exchange state machine vulnerability through patching or updates.

prevent

Ensures cryptographic key establishment processes are robust, mitigating manipulation of the SSH key exchange state machine that leads to password leaks or authentication bypass.

preventrecover

Mandates management and rotation of authenticators like passwords, directly addressing the plaintext leakage risk from this vulnerability.

References