ONE SENTENCE SUMMARY:

Two new OpenSSH vulnerabilities enable man-in-the-middle attacks and denial of service, prompting urgent patching to mitigate security risks.

MAIN POINTS:

Two OpenSSH vulnerabilities (CVE-2025-26465, CVE-2025-26466) expose millions of servers to security threats.
The man-in-the-middle flaw (CVE-2025-26465) allows attackers to impersonate servers and intercept SSH sessions.
The denial of service flaw (CVE-2025-26466) enables resource exhaustion attacks using SSH2_MSG_PING packets.
OpenSSH patched both flaws in version 9.9p2, released on February 18, 2025.
The man-in-the-middle attack requires the VerifyHostKeyDNS option to be enabled, which is disabled by default.
FreeBSD had VerifyHostKeyDNS enabled by default from September 2013 until March 2023.
The denial of service attack can be mitigated using built-in OpenSSH mechanisms like LoginGraceTime and MaxStartups.
Qualys Security Advisory team discovered and reported the flaws to OpenSSH on January 31, 2025.
Proof-of-concept exploit code was published by Qualys on the same day OpenSSH released patches.
Urgent upgrading to OpenSSH 9.9p2 is recommended to prevent potential exploits.

Immediate patching is crucial to mitigate OpenSSH vulnerabilities and prevent potential attacks.
Organizations should verify their SSH configurations, especially the VerifyHostKeyDNS setting.
Built-in OpenSSH security mechanisms can help reduce denial of service risks.
Attackers could exploit these flaws to intercept credentials or disrupt server operations.
Security teams must stay updated on vulnerabilities and apply patches as soon as they are released.