CVE-2023-25136

MEDIUM IN THE WILD

OpenSSH 9.1 - Unauthenticated Double Free in KEX Algorithms Handling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-25136 has been observed exploited in the wild (reported by InTheWild.io). EIP tracks 11 public exploits from researchers including Christbowel, adhikara13, jfrog.

AI-analyzed exploit summary The repository contains a scanner for CVE-2023-25136, which targets OpenSSH 9.1's pre-authentication double-free vulnerability. The scripts check for vulnerability by attempting to connect to SSH servers but do not include functional exploit code for arbitrary code execution.

Description

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."

Exploits (11)

nomisec SCANNER 106 stars
by Christbowel · poc
https://github.com/Christbowel/CVE-2023-25136

The repository contains a scanner for CVE-2023-25136, which targets OpenSSH 9.1's pre-authentication double-free vulnerability. The scripts check for vulnerability by attempting to connect to SSH servers but do not include functional exploit code for arbitrary code execution.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OpenSSH 9.1
No auth needed
Prerequisites: List of target IP addresses · Network access to target SSH servers
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 47 stars
by adhikara13 · poc
https://github.com/adhikara13/CVE-2023-25136

The repository contains a Python script that checks for the presence of CVE-2023-25136 (OpenSSH Pre-Auth Double Free) by attempting to establish an SSH connection with a specific client ID. It does not exploit the vulnerability but scans for its presence.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OpenSSH (versions affected by CVE-2023-25136)
No auth needed
Prerequisites: Network access to target SSH service · Python 3.x with Paramiko and termcolor libraries
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 42 stars
by jfrog · poc
https://github.com/jfrog/jfrog-CVE-2023-25136-OpenSSH_Double-Free

This repository contains a functional Python-based Proof-of-Concept (PoC) for CVE-2023-25136, a double-free vulnerability in OpenSSH 9.1p1. The PoC uses the `paramiko` library to trigger the vulnerability, causing a denial-of-service (DoS) condition by forcing an abort crash.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: OpenSSH 9.1p1
No auth needed
Prerequisites: Python 3.6+ · paramiko library · vulnerable OpenSSH server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 8 stars
by nhakobyan685 · poc
https://github.com/nhakobyan685/CVE-2023-25136

The repository claims to exploit CVE-2023-25136 (OpenSSH 9.1 double-free vulnerability) but provides no functional exploit code. The 'exploit.py' script only attempts a basic SSH connection without triggering the vulnerability, while 'scan.py' is a simple SSH scanner. The README lacks technical details and relies on screenshots and generic descriptions.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: OpenSSH 9.1
No auth needed
Prerequisites: Target running OpenSSH 9.1
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 5 stars
by H4K6 · poc
https://github.com/H4K6/CVE-2023-25136

The repository contains two Python scripts that attempt to detect CVE-2023-25136 in OpenSSH 9.1 by sending a crafted SSH version string and checking for vulnerability. However, the scripts do not include actual exploit code for achieving remote code execution.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: OpenSSH 9.1
No auth needed
Prerequisites: Target IP address or list of IPs · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 3 stars
by malvika-thakur · poc
https://github.com/malvika-thakur/CVE-2023-25136

This repository provides a detailed technical analysis of CVE-2023-25136, a pre-authentication double-free vulnerability in OpenSSH. It includes a walkthrough of the vulnerability, root cause analysis, and a Python-based Proof-of-Concept (PoC) using Paramiko to trigger the crash.

Classification
Writeup 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: OpenSSH 9.1p1
No auth needed
Prerequisites: Vulnerable OpenSSH server (9.1p1) · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 3 stars
by axylisdead · poc
https://github.com/axylisdead/CVE-2023-25136_POC

The repository contains a Python script that checks for the presence of CVE-2023-25136, a pre-authentication double-free vulnerability in OpenSSH versions 9.1 to 9.2. It does not exploit the vulnerability but scans for its presence by attempting to establish an SSH connection with a specific client version string.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OpenSSH 9.1 to 9.2
No auth needed
Prerequisites: Network access to the target SSH service · OpenSSH version 9.1 to 9.2 running on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 3 stars
by ticofookfook · poc
https://github.com/ticofookfook/CVE-2023-25136

The repository contains a scanner for CVE-2023-25136, which checks for vulnerable OpenSSH servers by verifying the SSH banner and attempting a connection. It does not exploit the vulnerability but identifies potentially vulnerable targets.

Classification
Scanner 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: OpenSSH 9.1p1
No auth needed
Prerequisites: List of target domains or IPs · Network access to target SSH ports
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 1 stars
by mrmtwoj · poc
https://github.com/mrmtwoj/CVE-2023-25136

This repository provides a Python-based tool that scans for OpenSSH versions 9.0 and 9.1, which are potentially vulnerable to CVE-2023-25136. It does not exploit the vulnerability but checks the SSH version via an SSH connection.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OpenSSH versions 9.0 and 9.1
Auth required
Prerequisites: Valid SSH credentials or access to the target server · Network connectivity to the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Business1sg00d · poc
https://github.com/Business1sg00d/CVE-2023-25136

The repository contains a Python script that attaches to an sshd process to debug and exploit a double-free vulnerability (CVE-2023-25136) in OpenSSH 9.1p1. The script uses GDB to set breakpoints and inspect memory, targeting the `kex_assemble_names` function where the vulnerability occurs.

Classification
Working Poc 80%
Attack Type
Dos
Complexity
Moderate
Reliability
Theoretical
Target: OpenSSH 9.1p1
No auth needed
Prerequisites: sshd process running · debugging permissions (e.g., root or ptrace capabilities)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Lane0218 · poc
https://github.com/Lane0218/CVE-2023-25136-PoC

This repository provides a functional PoC for CVE-2023-25136, an OpenSSH 9.1p1 pre-authentication double free vulnerability. It includes a Dockerized environment to reproduce the DoS effect and a Python script to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: OpenSSH 9.1p1
No auth needed
Prerequisites: Docker · Python 3 · paramiko library
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (16)

Core 16
Core References
Exploit, Mailing List, Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/02/02/2
Exploit, Issue Tracking, Third Party Advisory
https://bugzilla.mindrot.org/show_bug.cgi?id=3522
Issue Tracking, Third Party Advisory
https://news.ycombinator.com/item?id=34711565
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/02/13/1
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/02/22/1
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/02/22/2
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/02/23/3
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/03/06/1
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/03/09/2
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202307-01

Scores

CVSS v3 6.5
EPSS 0.8995
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

InTheWild.io 2023-03-24
CWE
CWE-415
Status published
Products (7)
fedoraproject/fedora 37
fedoraproject/fedora 38
netapp/500f_firmware
netapp/a250_firmware
netapp/c250_firmware
netapp/ontap_select_deploy_administration_utility
openbsd/openssh 9.1
Published Feb 03, 2023
Tracked Since Feb 18, 2026