CVE-2025-14821
Local MitM and Security Downgrade in libssh on Windows
Publication date: 2026-04-07
Last updated on: 2026-04-29
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | hardened_images | * |
| libssh | libssh | to 0.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14821 is a vulnerability in the libssh library on Windows systems caused by an insecure default configuration. Libssh automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users. This allows an attacker with low privileges to inject malicious SSH configuration files or known-hosts entries.
This injection enables local man-in-the-middle (MITM) attacks, security downgrades of SSH connections, and manipulation of trusted host information without requiring any user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability poses a significant risk to the confidentiality, integrity, and availability of SSH communications by allowing local man-in-the-middle attacks, security downgrades, and manipulation of trusted host information. Such risks can lead to unauthorized access or data breaches.
Because standards like GDPR and HIPAA require protection of sensitive data and secure communication channels, exploitation of this vulnerability could result in non-compliance due to potential exposure or compromise of protected information.
How can this vulnerability impact me? :
This vulnerability poses a significant risk to the confidentiality, integrity, and availability of SSH communications that rely on libssh on affected Windows systems.
- An attacker with low privileges can perform local man-in-the-middle attacks.
- Security downgrades of SSH connections can occur, weakening the protection of data in transit.
- Manipulation of trusted host information can lead to unauthorized access or interception.
Exploitation requires no user interaction, increasing the risk of unnoticed compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from libssh automatically loading configuration files from the C:\etc directory on Windows systems. Detection involves checking if this directory exists and whether it contains unexpected or untrusted SSH configuration files or known-hosts entries that could be manipulated by unprivileged users.
- Check if the C:\etc directory exists: Open a command prompt and run: dir C:\etc
- Inspect the contents of C:\etc for suspicious or unexpected SSH configuration files, such as known_hosts or ssh_config.
- Verify file ownership and permissions to detect if unprivileged users can modify these files.
- Monitor SSH connections for unusual behavior or security downgrades that could indicate man-in-the-middle attacks.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing unprivileged users from creating or modifying files in the C:\etc directory, as this is the root cause of the vulnerability.
- Remove or restrict access to the C:\etc directory to ensure only trusted administrators can modify its contents.
- Apply any patches or updates provided by libssh or your software vendor that address this insecure default configuration.
- Audit and monitor SSH configurations and connections for signs of tampering or man-in-the-middle attacks.