EUVD-2025-209270
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.
Analysis
Local privilege escalation in libssh on Windows systems allows authenticated users with low privileges to conduct man-in-the-middle attacks against SSH connections by creating malicious configuration files in C:\etc. The vulnerability stems from insecure default behavior where libssh automatically loads SSH configuration from a world-writable directory location. Red Hat Enterprise Linux 6-10, RHEL Hardened Images, and OpenShift Container Platform 4 are affected. No public exploit identified at time of analysis, though EPSS data is not available and exploitation complexity is low (CVSS AC:L).
Technical Context
This vulnerability exploits CWE-427 (Uncontrolled Search Path Element) in libssh's configuration file loading mechanism on Windows platforms. The library automatically searches for and loads SSH configuration files from C:\etc, a directory that does not exist by default on Windows systems but can be created by any unprivileged user. On Windows, the C:\ root directory typically allows standard users to create new folders. An attacker with local access can pre-create C:\etc and populate it with malicious SSH configuration files (ssh_config, known_hosts, or similar) that libssh will trust and parse. This allows manipulation of host key verification, trusted hosts lists, proxy commands, and other SSH security parameters. The affected CPE strings indicate this impacts multiple Red Hat products that bundle libssh, including RHEL 6 through 10, containerized environments (OpenShift Container Platform 4), and hardened images.
Affected Products
Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10 are affected (cpe:2.3:a:red_hat:red_hat_enterprise_linux). Red Hat Hardened Images 1 (cpe:2.3:a:red_hat:red_hat_hardened_images_1) and Red Hat OpenShift Container Platform 4 (cpe:2.3:a:red_hat:red_hat_openshift_container_platform_4) are also impacted. The vulnerability specifically affects Windows deployments of these products where libssh is used for SSH client functionality. The issue is rooted in libssh library itself, so any application on Windows that depends on libssh for SSH connections may be vulnerable. Vendor advisory available at https://access.redhat.com/security/cve/CVE-2025-14821 and upstream security release information at https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/.
Remediation
Vendor-released patches are available: upgrade to libssh version 0.11.4 or 0.12.0 or later, as announced in the upstream security advisory at https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/. Red Hat customers should apply updates through their standard patch management processes and monitor https://access.redhat.com/security/cve/CVE-2025-14821 for product-specific errata. As a temporary workaround on Windows systems, administrators can create C:\etc with restrictive permissions (accessible only to SYSTEM and Administrators) to prevent unprivileged users from placing malicious configuration files, though this does not address the underlying insecure default and upgrading remains the definitive solution. Organizations should audit Windows systems running libssh-dependent applications and prioritize patching systems where untrusted local users have access.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today