SOCRadar® Cyber Intelligence Inc. | Security Flaws in OpenSSH and Juniper Networks Demand Action (CVE-2025-26465, CVE-2025-26466, and CVE-2025-21589)
Free Dark Web Report
Is your Domain Exposed? Find Out.
Table Of Content
Moon
Home

Resources

Blog
Feb 19, 2025
5 Mins Read

Security Flaws in OpenSSH and Juniper Networks Demand Action (CVE-2025-26465, CVE-2025-26466, and CVE-2025-21589)

Recent discoveries have revealed severe vulnerabilities in two widely used networking technologies – OpenSSH and Juniper Networks’ Session Smart Router. These flaws, if exploited, could enable cybercriminals to hijack SSH sessions, and even gain unauthorized administrative control over enterprise networks.

With OpenSSH being a staple in secure remote communications and Juniper’s routers powering enterprise SD-WAN solutions, the potential impact of these vulnerabilities is significant. Organizations are urged to act swiftly by patching affected systems, tightening security configurations, and staying vigilant against potential threats.

OpenSSH Flaws Expose Systems to MitM Attacks and Denial of Service

OpenSSH, a widely used open-source implementation of the SSH protocol, has released an urgent security update addressing two newly discovered vulnerabilities that pose significant security risks. These flaws, identified by Qualys, include a Man-in-the-Middle (MitM) attack vulnerability and a pre-authentication Denial-of-Service (DoS) flaw, tracked as CVE-2025-26465 and CVE-2025-26466, respectively.

Given OpenSSH’s extensive use in enterprise, IT, and cloud environments, these vulnerabilities present a serious risk to organizations that rely on secure remote access and encrypted communications.

CVE-2025-26465: A Decade-Old MitM Attack Vulnerability

The MitM vulnerability, CVE-2025-26465 (CVSS 6.8), introduced in OpenSSH 6.8p1, at the end of 2014, affects OpenSSH clients when the VerifyHostKeyDNS option is enabled. If exploited, an attacker can hijack an SSH session by:

  • Presenting a rogue server’s key to the client.
  • Triggering an out-of-memory error to bypass host verification.
  • Stealing credentials, injecting commands, and exfiltrating data.

This issue is particularly concerning given its presence in OpenSSH for over a decade, remaining undetected until now. Although this option is disabled by default, FreeBSD enabled it by default from 2013 to 2023, leaving many systems unknowingly exposed. Organizations using FreeBSD or those that have manually enabled VerifyHostKeyDNS should take immediate action.

CVE-2025-26466: Pre-Authentication DoS Attack

The second vulnerability, CVE-2025-26466 (CVSS 5.9), was introduced in OpenSSH 9.5p1, in 2023. This flaw allows attackers to overwhelm a system’s resources by:

  • Sending small, repeated 16-byte ping messages.
  • Triggering an unrestricted memory allocation in the key exchange process.
  • Consuming excessive CPU and RAM, potentially leading to system crashes.

While this flaw does not enable direct code execution, it can significantly disrupt operations by making SSH services unavailable. Attackers leveraging this vulnerability could render critical infrastructure inoperable, making it impossible for administrators to manage remote systems.

Mitigation and Recommended Actions

OpenSSH has released version 9.9p2, which addresses both vulnerabilities. Organizations should:

  • Upgrade immediately to OpenSSH 9.9p2 to prevent exploitation.
  • Disable VerifyHostKeyDNS unless strictly necessary.
  • Implement strict SSH rate limits to mitigate DoS attempts.
  • Monitor SSH traffic for unusual patterns.
  • Use manual key verification methods instead of relying on DNS-based verification.
  • Restrict SSH access using firewall rules and allowlists to limit exposure to only trusted IPs.

For technical details, visit the Qualys advisory.

It’s critical to manage the attack surface of your company as the world of cybersecurity grows more complex. The Attack Surface Management (ASM) module of SOCRadar offers thorough insight into your whole digital ecosystem, including cloud services, third-party vendors, and internal systems.

Monitor for company vulnerabilities with SOCRadar ASM

Monitor for company vulnerabilities with SOCRadar ASM

ASM assists you in identifying vulnerabilities, prioritizing remediation, and lowering exposure to possible threats through automated risk assessment, continuous monitoring, and actionable insights. No matter what threats arise, stay on top of the competition and make sure your organization is safe.

Juniper Networks’ Critical Authentication Bypass Vulnerability

In another important development, Juniper Networks recently released an out-of-cycle security update for a critical authentication bypass vulnerability, identified as CVE-2025-21589 (CVSS 9.8), affecting its Session Smart Router products.

This flaw, described as an alternate path or channel vulnerability, could allow a remote attacker to gain full administrative control of affected devices. This type of vulnerability poses a severe risk, as it can be leveraged to manipulate network configurations, intercept data, and disrupt services.

Impacted Products and Immediate Remediation

The vulnerability affects:

  • Session Smart Router (SD-WAN solution)
  • Session Smart Conductor
  • WAN Assurance Managed Routers

Patched versions are as follows:

  • 5.6.17
  • 6.1.12-lts
  • 6.2.8-lts
  • 6.3.3-r2

Juniper’s Response and Risk Assessment

Although CVE-2025-21589 is a critical vulnerability, Juniper discovered it during internal security testing, and no active exploitation has been detected so far. Despite this, the risk remains high due to the potential for attackers to gain full administrative control over affected devices. Organizations should act swiftly to apply patches, enforce strict access controls, and monitor network activity to prevent any future exploitation.

Best Practices to Prevent Exploitation

  • Apply the latest patches as soon as possible to ensure security fixes are in place.
  • Restrict access to affected devices by using firewall rules to limit exposure.
  • Enable logging and monitoring to detect unauthorized access attempts.
  • Change administrative credentials after applying patches to eliminate any existing risks.
  • Audit network configurations to identify potential vulnerabilities introduced by unauthorized access.

For more details, visit the Juniper Security Bulletin.

In today’s dynamic threat environment, effective defense calls for remaining up to date on new vulnerabilities.

SOCRadar’s Vulnerability Intelligence module continuously tracks vulnerabilities and helps you prioritize patching efforts by providing detailed risk assessments.

Take control of your security with SOCRadar Vulnerability Intelligence

Take control of your security with SOCRadar Vulnerability Intelligence

SOCRadar ensures that your security team is prepared to deal with threats before they are exploited by providing actionable insights into critical vulnerabilities, including those that may affect your network and systems.

Related Articles
SOCRadar® Cyber Intelligence Inc. | Black Basta’s Internal Chats Leak: Everything You Need to Know
Black Basta’s Internal Chats Leak: Everything You Need to Know
Feb 21, 2025
SOCRadar® Cyber Intelligence Inc. | Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV
Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV
Feb 21, 2025
SOCRadar® Cyber Intelligence Inc. | Chinese APT Exploits Cisco IOS XE Vulnerabilities (CVE-2023-20198 & CVE-2023-20273) in Global Attacks
Chinese APT Exploits Cisco IOS XE Vulnerabilities (CVE-2023-20198 & CVE-2023-20273) in Global Attacks
Feb 20, 2025
SOCRadar® Cyber Intelligence Inc. | A New Wave of Ransomware Campaigns Targeting Microsoft Teams
A New Wave of Ransomware Campaigns Targeting Microsoft Teams
Feb 18, 2025
SOCRadar® Cyber Intelligence Inc. | Alarming Dark Web Leak: B1ack's Stash Releases 4 Million Stolen Credit Cards for Free
Alarming Dark Web Leak: B1ack's Stash Releases 4 Million Stolen Credit Cards for Free
Feb 18, 2025