What is the CVSS score of CVE-2025-32728?

CVE-2025-32728 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N. EPSS exploitation probability: 0.3%.

Which versions of SSH are affected by CVE-2025-32728?

Organizations using sshd in OpenSSH should be aware of moderate risk from CVE-2025-32728 rated CVSS 4.3. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2025-32728?

Within 30 days: Identify affected systems running sshd in OpenSSH and apply vendor patches as part of regular patch cycle. Vendor patch is available.

SSH CVE-2025-32728

MEDIUM

Expected Behavior Violation (CWE-440)

2025-04-10 cve@mitre.org

Information Disclosure SSH Red Hat Debian Linux Suse Openssh

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:36 vuln.today

Patch released

Mar 28, 2026 - 18:36 nvd

Patch available

CVE Published

Apr 10, 2025 - 02:15 nvd

MEDIUM 4.3

DescriptionNVD

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

AnalysisAI

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-440. In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. Affected products include: Openbsd Openssh, Debian Debian Linux. Version information: before 10.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.