Vulnerability DatabaseCVE-2025-26465
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-26465
February 18, 2025
In OpenSSH versions 6.8p1 to 9.9p1, a logic error in ssh(1) allowed an on-path attacker to impersonate any server when the VerifyHostKeyDNS option is enabled. This option is disabled by default.
Related ResourcesĀ (27)
http://seclists.org/fulldisclosure/2025/Feb/18
http://seclists.org/fulldisclosure/2025/May/7
https://access.redhat.com/errata/RHSA-2025:6993
https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/
https://access.redhat.com/errata/RHSA-2025:16823
https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
https://security.netapp.com/advisory/ntap-20250228-0003/
https://security.alpinelinux.org/vuln/CVE-2025-26465
https://bugzilla.suse.com/show_bug.cgi?id=1237040
https://www.openssh.com/security.html
https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh
https://access.redhat.com/security/cve/CVE-2025-26465
https://ubuntu.com/security/CVE-2025-26465
https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh
https://www.openwall.com/lists/oss-security/2025/02/18/1
https://www.openssh.com/releasenotes.html#9.9p2
https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html
https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html
https://security-tracker.debian.org/tracker/CVE-2025-26465
https://access.redhat.com/solutions/7109879
https://www.openwall.com/lists/oss-security/2025/02/18/4
https://access.redhat.com/errata/RHSA-2025:3837
http://seclists.org/fulldisclosure/2025/May/8
https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig
https://bugzilla.redhat.com/show_bug.cgi?id=2344780
https://seclists.org/oss-sec/2025/q1/144
https://access.redhat.com/errata/RHSA-2025:8385
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Detection of Error Condition Without Action
CWE-390
EPSS
Base Score:
59.97