Qualys TRU Discovers Two Vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466

Qualys TRU disclosed two OpenSSH vulnerabilities—CVE-2025-26465 enabling a client-side MITM when VerifyHostKeyDNS is enabled and CVE-2025-26466 enabling a pre-authentication DoS against client and server—affecting OpenSSH versions 6.8p1 through 9.9p1 and 9.5p1 through 9.9p1 respectively; Qualys recommends upgrading to OpenSSH 9.9p2 and provides QIDs, detection/mitigation guidance, and asset discovery queries for remediation.