CVE-2025-26465

MEDIUM

OpenSSH 6.9-9.7 - Machine-in-the-Middle Attack via VerifyHostKeyDNS Error Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-26465. PoCs published by rxerium, dolutech.

AI-analyzed exploit summary This repository provides a Nuclei template for detecting vulnerable OpenSSH client versions (6.8p1 to 9.9p1) affected by CVE-2025-26465, a MitM vulnerability when VerifyHostKeyDNS is enabled. It matches against SSH banner strings to identify at-risk hosts.

Description

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Exploits (2)

nomisec SCANNER 7 stars
by rxerium · poc
https://github.com/rxerium/CVE-2025-26465

This repository provides a Nuclei template for detecting vulnerable OpenSSH client versions (6.8p1 to 9.9p1) affected by CVE-2025-26465, a MitM vulnerability when VerifyHostKeyDNS is enabled. It matches against SSH banner strings to identify at-risk hosts.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OpenSSH client versions 6.8p1 to 9.9p1
No auth needed
Prerequisites: Nuclei installed · Network access to target host
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by dolutech · poc
https://github.com/dolutech/patch-manual-CVE-2025-26465-e-CVE-2025-26466

This repository provides a mitigation script for OpenSSH vulnerabilities CVE-2025-26465 and CVE-2025-26466, focusing on disabling VerifyHostKeyDNS and adjusting MaxStartups to prevent DoS attacks.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: OpenSSH
Auth required
Prerequisites: Access to modify SSH configuration files · Root or sudo privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (26)

Core 26
Core References
Mailing List, Third Party Advisory
https://seclists.org/oss-sec/2025/q1/144
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:16823
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:3837
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:6993
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:8385
Third Party Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-26465
Issue Tracking, Third Party Advisory issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2344780

Scores

CVSS v3 6.8
EPSS 0.0700
EPSS Percentile 93.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-390
Status published
Products (17)
debian/debian_linux 11.0
debian/debian_linux 12.0
netapp/active_iq_unified_manager
netapp/ontap 9
openbsd/openssh 6.8 p1
openbsd/openssh 9.9 (2 CPE variants)
openbsd/openssh 6.9 - 9.8
Red Hat/Red Hat Discovery 1.14 sha256:f33991d766b618a128fb99fbe4f9b61c5004f7c6aa73b2b38e28d59e56c64d63
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 6
... and 7 more
Published Feb 18, 2025
Tracked Since Feb 18, 2026