Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

New OpenSSH Flaws Enable Man-in-the-Middle and DoS Attacks — Patch Now

The Hacker News by The Hacker News
February 18, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Feb 18, 2025Ravie LakshmananVulnerability / Network Security

Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions.

The vulnerabilities, detailed by the Qualys Threat Research Unit (TRU), are listed below –

  • CVE-2025-26465 – The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled, allowing a malicious interloper to impersonate a legitimate server when a client attempts to connect to it (Introduced in December 2014)
  • CVE-2025-26466 – The OpenSSH client and server are vulnerable to a pre-authentication DoS attack between versions 9.5p1 to 9.9p1 (inclusive) that causes memory and CPU consumption (Introduced in August 2023)

“If an attacker can perform a man-in-the-middle attack via CVE-2025-26465, the client may accept the attacker’s key instead of the legitimate server’s key,” Saeed Abbasi, manager of product at Qualys TRU, said.

Cybersecurity

“This would break the integrity of the SSH connection, enabling potential interception or tampering with the session before the user even realizes it.”

In other words, a successful exploitation could permit malicious actors to compromise and hijack SSH sessions, and gain unauthorized access to sensitive data. It’s worth noting that the VerifyHostKeyDNS option is disabled by default.

Repeated exploitation of CVE-2025-26466, on the other hand, can result in availability issues, preventing administrators from managing servers and locking legitimate users out, effectively crippling routine operations.

Both the vulnerabilities have been addressed in version OpenSSH 9.9p2 released today by OpenSSH maintainers.

The disclosure comes over seven months after Qualys shed light on another OpenSSH flaw dubbed regreSSHion (CVE-2024-6387) that could have resulted in unauthenticated remote code execution with root privileges in glibc-based Linux systems.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
New Charter Technologies Appoints Christopher J. Luise as Chief Operating Officer

New Charter Technologies Appoints Christopher J. Luise as Chief Operating Officer

Recommended.

New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft

New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft

June 19, 2025
FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations

FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations

March 7, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
Anthropic’s 5 Huge Hires From OpenAI, Google, Microsoft And xAI In 2026

Anthropic’s 5 Huge Hires From OpenAI, Google, Microsoft And xAI In 2026

July 7, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio