Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-26465 PoC — Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled

Source
https://github.com/rxerium/CVE-2025-26465
Associated Vulnerability
Title:Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled (CVE-2025-26465)
Description:A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
Description
MitM attack allowing a malicious interloper to impersonate a legitimate server when a client attempts to connect to it
Readme
# CVE-2025-26465

The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled, allowing a malicious interloper to impersonate a legitimate server when a client attempts to connect to it

## How does this detection method work?

This template matches on the following vulnerable versions:
```
          - "SSH-2.0-OpenSSH_6.8p1"
          - "SSH-2.0-OpenSSH_6.9p1"
          - "SSH-2.0-OpenSSH_7.0p1"
          - "SSH-2.0-OpenSSH_7.1p1"
          - "SSH-2.0-OpenSSH_7.2p1"
          - "SSH-2.0-OpenSSH_7.3p1"
          - "SSH-2.0-OpenSSH_7.4p1"
          - "SSH-2.0-OpenSSH_7.5p1"
          - "SSH-2.0-OpenSSH_7.6p1"
          - "SSH-2.0-OpenSSH_7.7p1"
          - "SSH-2.0-OpenSSH_7.8p1"
          - "SSH-2.0-OpenSSH_7.9p1"
          - "SSH-2.0-OpenSSH_8.0p1"
          - "SSH-2.0-OpenSSH_8.1p1"
          - "SSH-2.0-OpenSSH_8.2p1"
          - "SSH-2.0-OpenSSH_8.3p1"
          - "SSH-2.0-OpenSSH_8.4p1"
          - "SSH-2.0-OpenSSH_8.5p1"
          - "SSH-2.0-OpenSSH_8.6p1"
          - "SSH-2.0-OpenSSH_8.7p1"
          - "SSH-2.0-OpenSSH_8.8p1"
          - "SSH-2.0-OpenSSH_8.9p1"
          - "SSH-2.0-OpenSSH_9.0p1"
          - "SSH-2.0-OpenSSH_9.1p1"
          - "SSH-2.0-OpenSSH_9.2p1"
          - "SSH-2.0-OpenSSH_9.3p1"
          - "SSH-2.0-OpenSSH_9.4p1"
          - "SSH-2.0-OpenSSH_9.5p1"
          - "SSH-2.0-OpenSSH_9.6p1"
          - "SSH-2.0-OpenSSH_9.7p1"
          - "SSH-2.0-OpenSSH_9.8p1"
          - "SSH-2.0-OpenSSH_9.9p1"
```
If there is a match, the host is considered to be vulnerable to CVE-2025-26465.

 ## How do I run this script?

1. Download Nuclei from [here](https://github.com/projectdiscovery/nuclei)
2. Copy the template to your local system
3. Run the following command: `nuclei -u https://yourHost.com -t template.yaml` 

## References

- https://thehackernews.com/2025/02/new-openssh-flaws-enable-man-in-middle.html


## Disclaimer

Use at your own risk, I will not be responsible for illegal activities you conduct on infrastructure you do not own or have permission to scan.

## Contact

Feel free to reach out to me on [Signal](https://signal.me/#eu/0Qd68U1ivXNdWCF4hf70UYFo7tB0w-GQqFpYcyV6-yr4exn2SclB6bFeP7wTAxQw).
File Snapshot

 [4.0K]  /data/pocs/e75e9c7e985314549c0476a9341662eafb196a37
├── [2.2K]  README.md
└── [1.6K]  template.yaml

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →