Description
A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.
Published: 2026-04-07
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Man‑in‑the‑Middle via insecure libssh configuration on Windows
Action: Patch
AI Analysis

Impact

A flaw in the libssh library allows an attacker on a Windows system to perform local man‑in‑the‑middle attacks, downgrade SSH encryption, and manipulate trusted host information. The vulnerability arises from an insecure default configuration that automatically loads configuration files from the C:\etc directory, a location that can be created and modified by unprivileged local users. Because the attacker can control these configuration files, they can impersonate a remote host, capture credentials, or inject arbitrary commands, threatening confidentiality, integrity, and availability of SSH communications.

Affected Systems

Red Hat Enterprise Linux 10, 6, 7, 8, and 9, as well as Red Hat Hardened Images and Red Hat OpenShift Container Platform 4, contain the vulnerable libssh library. The flaw becomes relevant whenever an installed instance of libssh runs on a Windows operating system that allows local users to create or modify the C:\etc directory, thus exposing the software to the described risk.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, yet the EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting exploitation attempts are currently rare. The likely attack vector is local: an adversary with access to a Windows machine can create or alter files in C:\etc so that libssh loads attacker‑controlled configuration. Because the flaw requires local file‑system tampering, a purely remote attacker cannot exploit it without additional privileges. Nevertheless, once the configuration files are subverted, the attacker can perform a full‑blown man‑in‑the‑middle, compromising data in transit and potentially enabling further attacks from the compromised host.

Generated by OpenCVE AI on April 27, 2026 at 19:58 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Update libssh to the latest security release (0.12.0 or later) provided by Red Hat or the upstream project so that the insecure default behavior is removed.
  • Modify the libssh installation so that configuration files are only loaded from trusted directories, adding input validation to prevent use of attacker‑controlled paths as described by CWE‑427.
  • Enforce strict host‑key checking in SSH client configurations and avoid relying on automatically loaded host key data to prevent acceptance of tampered host keys.
  • Check the Red Hat vendor website or errata service for any additional patches or advisories related to this issue.

Generated by OpenCVE AI on April 27, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hardened Images
CPEs cpe:2.3:a:libssh:libssh:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
Vendors & Products Redhat hardened Images

Fri, 24 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Title libssh: libssh: Insecure default configuration leads to local man-in-the-middle attacks on Windows Libssh: libssh: insecure default configuration leads to local man-in-the-middle attacks on windows
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
CPEs cpe:/a:redhat:hummingbird:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
References

Thu, 12 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Libssh
Libssh libssh
Vendors & Products Libssh
Libssh libssh

Wed, 11 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.
Title libssh: libssh: Insecure default configuration leads to local man-in-the-middle attacks on Windows
Weaknesses CWE-427
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Low

Subscriptions

Libssh Libssh
Redhat Enterprise Linux Hardened Images Hummingbird Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-28T20:27:10.104Z

Reserved: 2025-12-17T11:45:32.329Z

Link: CVE-2025-14821

cve-icon Vulnrichment

Updated: 2026-04-07T17:46:34.612Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-07T17:16:25.433

Modified: 2026-04-28T20:16:20.547

Link: CVE-2025-14821

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-10T18:51:56Z

Links: CVE-2025-14821 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:00:05Z

Weaknesses