CVE-2025-14821 HIGH

CVE-2025-14821: Libssh: libssh: insecure default configuration leads to local man-in-the-middle attacks on windows

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-427
Published April 7, 2026
Last update June 30, 2026

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
June 30, 2026 Record updated