#VU114093 Incorrect calculation in libssh - CVE-2025-5372

Cybersecurity Help s.r.o.

Published: 2025-08-14

Vulnerability identifier: #VU114093

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U/U:Clear]

CVE-ID: CVE-2025-5372

CWE-ID: CWE-682

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libssh
Universal components / Libraries / Libraries used by multiple products

Vendor: libssh

Description

The vulnerability allows a remote user to perform MitM attack.

The vulnerability exist due to incorrect calculation within the ssh_kdf() function responsible for key derivation when built with OpenSSL versions older than 3.0. A remote user can compromise the integrity of the SSH session.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libssh: All versions

External links
https://access.redhat.com/security/cve/CVE-2025-5372
https://bugzilla.redhat.com/show_bug.cgi?id=2369388

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for libssh

openEuler 24.03 LTS update for libssh

openEuler 24.03 LTS SP1 update for libssh

Fedora 41 update for libssh

Anolis OS update for libssh

RSA Authentication Manager update for third-party components

Incorrect calculation in libssh