FlagThis

The Qualys Threat Research Unit (TRU) disclosed two vulnerabilities in OpenSSH: CVE-2025-26465, a machine-in-the-middle (MitM) attack against the OpenSSH client when the VerifyHostKeyDNS option is enabled, and CVE-2025-26466, an asymmetric denial-of-service (DoS) attack affecting both client and server. CVE-2025-26465 allows attackers to intercept communications by spoofing DNS records, while CVE-2025-26466 enables resource exhaustion through excessive memory and CPU consumption. These vulnerabilities impact OpenSSH client and server components, potentially exposing millions to risks.