CVE-2025-26465 is a medium-severity vulnerability (CVSS 6.8) in OpenSSH that enables a Man-in-the-Middle (MitM) attack by exploiting a flaw in the VerifyHostKeyDNS option.
When enabled, this feature allows an attacker to impersonate a legitimate SSH server, potentially hijacking user sessions and intercepting sensitive data.
The vulnerability affects OpenSSH versions 6.8p1 to 9.9p1 and was particularly concerning for systems running FreeBSD, where the option was enabled by default from 2013 to 2023.
The flaw stems from a logic error that mishandles host key verification, allowing attackers to bypass security checks, gain unauthorized access, and inject malicious commands into SSH sessions​
Organizations relying on OpenSSH for secure communications should take immediate steps to mitigate this risk. OpenSSH 9.9p2 contains a patch addressing the issue, and users should upgrade as soon as possible. If upgrading is not feasible, a recommended workaround is to disable the VerifyHostKeyDNS option unless absolutely necessary and manually verify SSH key fingerprints before establishing connections. Given that a Proof of Concept (PoC) exploit is already publicly available, delaying mitigation could expose systems to exploitation​