Two critical vulnerabilities have affected OpenSSH, the popular remote connection tool, for ten years. Attackers were able to intercept credentials and hijack sessions, leading to sensitive data exfiltration and other attacks.
Qualys Threat Research Unit (TRU) disclosed the two critical flaws on Tuesday, the same day when the fixed OpenSSH version 9.9p2 was released.
The first flaw enables attackers to perform a man-in-the-middle attack. A malicious machine can impersonate a legitimate server, and the client may accept the attacker’s key instead of the actual server’s key.
“This would break the integrity of the SSH connection, enabling potential interception or tampering with the session before the user even realizes it,” the report warns.
“If compromised, hackers could view or manipulate sensitive data, move across multiple critical servers laterally, and exfiltrate valuable information such as database credentials.”
This flaw (CVE-2025-26465) was introduced in December 2014, and it affects all OpenSSH versions from 6.8p1 through 9.9p1.
According to the National Vulnerability Database, the issue occurs because OpenSSH mishandles error codes in specific conditions when verifying the host key.
“For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high,” the description reads.
The second vulnerability (CVE-2025-26466) leaves OpenSSH vulnerable to a pre-authentication denial-of-service (DoS) attack. This can cause prolonged remote system administration service outages or prevent administrators from managing servers, effectively locking legitimate users out. The asymmetric resource consumption of memory and CPU flaw was introduced in August 2023.
“An enterprise facing this vulnerability could see critical servers become unreachable, interrupting routine operations and stalling essential maintenance tasks,” Qualys researchers warn.
OpenSSH is a widely used critical service for securely connecting to other computers over a network and transferring encrypted data over insecure networks. It replaced clear-text protocols such as Telnet and FTP by providing secure remote login, file transfers, port forwarding, and tunneling.
The OpenBSD Project, a volunteer-driven software group maintaining OpenSSH and other software, acknowledged the issues and released a 9.9p2 version on Tuesday that addresses these vulnerabilities.
Qualys strongly recommends that all users upgrade to the latest version of OpenSSH. The researchers publicly released the proof of concept for the potential attack and other details on how the vulnerabilities work.
Your email address will not be published. Required fields are markedmarked