CVE-2025-26465
Published: 18 February 2025
Summary
CVE-2025-26465 is a medium-severity Detection of Error Condition Without Action (CWE-390) vulnerability in Openbsd Openssh. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly patches the OpenSSH vulnerability, preventing MitM exploitation as addressed in Red Hat errata like RHSA-2025:16823.
Configuration settings enforce disabling the VerifyHostKeyDNS option in OpenSSH, eliminating the conditions required for the error code mishandling vulnerability.
Remote access controls require cryptographic mechanisms and host verification for SSH, mitigating MitM impersonation risks even if the specific flaw is present.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables a machine-in-the-middle attack allowing impersonation of legitimate SSH servers by bypassing host key verification in OpenSSH clients when VerifyHostKeyDNS is enabled.
NVD Description
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when…
more
verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
Deeper analysisAI
CVE-2025-26465 is a vulnerability in OpenSSH that arises when the VerifyHostKeyDNS option is enabled. It stems from OpenSSH's mishandling of error codes under specific conditions during host key verification, allowing a malicious machine to impersonate a legitimate server in a machine-in-the-middle (MitM) attack. The issue is classified under CWE-390 (Detection of Error Condition Without Action) and carries a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).
A remote attacker with network access can exploit this vulnerability by positioning themselves in the MitM path between the client and server. Exploitation requires user interaction, such as initiating an SSH connection, and high attack complexity, including exhausting the client's memory resources beforehand. Successful exploitation enables the attacker to impersonate the legitimate server, potentially compromising confidentiality and integrity of the SSH session.
Red Hat has issued multiple security errata addressing this vulnerability, including RHSA-2025:16823, RHSA-2025:3837, RHSA-2025:6993, and RHSA-2025:8385, with additional details available on their CVE page at https://access.redhat.com/security/cve/CVE-2025-26465. These advisories provide patches and mitigation guidance for affected systems.
Details
- CWE(s)