The developers of OpenSSH, the widely-used open-source version of the Secure Shell (SSH) protocol, released patches this week addressing two vulnerabilities, including one that could be exploited without user interaction and the other without requiring authentication.

OpenSSH is a free and open-source implementation of the SSH protocol, which is widely used among people in IT, cloud computing, and cybersecurity to securely access and manage remote systems over a network. It uses encryption to protect sensitive information like login credentials and file transfers from eavesdropping.

In short, here’s what you need to know about the vulnerabilities:

  • CVE-2025-26465 (CVSS score: 6.8). If you’re using OpenSSH versions 6.8p1 to 9.9p1 and have the VerifyHostKeyDNS option enabled, there’s a risk of a Man-in-the-Middle (MitM) attack. This means an attacker could intercept your connection and pretend to be the server you’re trying to connect to, tricking your client into connecting to a fake server.
  • CVE-2025-26466 (CVSS score: 5.9). This one affects both the OpenSSH client and server in versions 9.5p1 to 9.9p1. It opens the door for a Denial of Service (DoS) attack, which can overload your system’s memory and CPU, causing it to slow down or crash.

Qualys, which discovered both vulnerabilities explains that the first vulnerability makes a MitM attack successful “regardless of whether the VerifyHostKeyDNS option is set to “yes” or “ask” (its default is “no”).” What’s worse, it “requires no user interaction, and does not depend on the existence of an SSHFP resource record (an SSH fingerprint) in DNS.”

Essentially, this vulnerability lets an attacker trick the client into accepting a fake server’s key due to poor error handling. The attacker can intercept the connection and send a huge SSH key with extra data, which overloads the client’s memory. This causes the client to skip checking the server’s identity and let the attacker take over the session. From there, they can steal login credentials, inject harmful commands, and steal sensitive data.

In the second vulnerability, the problem happens during the key exchange process, where OpenSSH doesn’t limit how much memory is used. An attacker can send small 16-byte ping messages over and over. OpenSSH then stores 256-byte responses without checking how much memory it’s using. This leads to excessive memory consumption and CPU overload, which can crash the system.

OpenSSH fixed both vulnerabilities in version 9.9p2. It’s best to upgrade to this version as soon as possible.

You should also make sure to disable VerifyHostKeyDNS unless absolutely necessary and use manual key fingerprint verification for secure SSH connections.

To mitigate the DoS issue, administrators should set strict connection rate limits and monitor SSH traffic for unusual patterns, which will allow them to detect and prevent any attack early on.