Skip to main content

libssh EUVDEUVD-2025-209270

| CVE-2025-14821 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-04-07 redhat
High
Disputed · 7.0 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local unprivileged user writes C:\etc (AV:L/PR:L); success depends on another process consuming the planted config (AC:H); full SSH session compromise yields C:H/I:H/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.8 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 25, 2026 - 07:29 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 25, 2026 - 07:28 vuln.today
v3 (cvss_changed)
CVSS changed
Jun 25, 2026 - 07:22 NVD
7.8 (HIGH) 7.0 (HIGH)
Analysis Updated
Apr 25, 2026 - 00:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 25, 2026 - 00:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 17:00 euvd
EUVD-2025-209270
Analysis Generated
Apr 07, 2026 - 17:00 vuln.today
CVE Published
Apr 07, 2026 - 16:34 nvd
HIGH 7.8

DescriptionNVD

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.

AnalysisAI

Local man-in-the-middle and SSH security downgrade in libssh on Windows stems from the library automatically loading configuration files from C:\etc, a directory that any unprivileged local user can create and populate. By planting a malicious config, an attacker can manipulate trusted host data and weaken SSH cryptographic negotiation, compromising the confidentiality, integrity, and availability of SSH sessions established by applications linking libssh. There is no public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not in CISA KEV.

Technical ContextAI

libssh is a multiplatform C library implementing the SSHv2 protocol used by numerous applications to act as SSH clients or servers. The root cause maps to CWE-427 (Uncontrolled Search Path Element): on Windows the library resolves and loads its system configuration from a fixed absolute path, C:\etc, instead of a location protected by administrative ACLs. On Windows the root of a drive is writable by standard users by default, so an unprivileged account can create C:\etc and drop a libssh config that the library will trust. Because that config can redefine known-hosts handling and the offered key-exchange, cipher, and MAC algorithms, it lets an attacker force algorithm downgrades and tamper with host-trust decisions for any process that subsequently uses libssh. Note the supplied CPEs enumerate Red Hat Enterprise Linux 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images rather than Windows builds, reflecting that the affected component (the libssh package) is tracked through Red Hat's catalog even though the insecure default path is Windows-specific.

RemediationAI

Upgrade libssh to a fixed release: Vendor-released patch: libssh 0.12.0 or 0.11.4 (https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/); Red Hat users should apply the distribution update via RHSA-2026:7067 (https://access.redhat.com/errata/RHSA-2026:7067) and consult https://access.redhat.com/security/cve/CVE-2025-14821. On Windows hosts that cannot be patched immediately, the targeted compensating control is to remove the search-path exposure: create C:\etc yourself and lock its ACLs so only Administrators and SYSTEM can write, preventing unprivileged users from planting a config, or otherwise restrict standard-user write access to the drive root; the trade-off is that legitimate per-system libssh configuration placed there must then be managed by an administrator. Where feasible, run libssh-based applications under accounts and on hosts where untrusted local users do not have interactive access, since exploitation requires a local foothold. Validate which platforms in your fleet actually load from C:\etc before relying on workarounds.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

EUVD-2025-209270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy