CVE-2025-26465: openssh¶

Title¶

CVE-2025-26465: OpenSSH: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client

Summary¶

The OpenSSH client is vulnerable to an active machine-in-the-middle attack if the VerifyHostKeyDNS option is enabled (it is disabled by default): when a vulnerable client connects to a server, an active machine-in-the-middle can impersonate the server by completely bypassing the client's checks of the server's identity.

Public disclosure date: February 18, 2025

EL9¶

Fixed in version: 8.7p1-43.el9_5.security.0.11 available February 21, 2025

EL8¶

Affected

Mitigation¶

Ensure VerifyHostKeyDNS is not enabled in SSH client configuration. It is disabled by default.