CVE-2025-11625 – An improper host authentication vulnerability i... (How to Fix)

Q: What is the severity of CVE-2025-11625?

CVE-2025-11625 has a CVSS score of 9.8 (CRITICAL). An improper host authentication vulnerability in wolfSSH clients up to version 1.4.20 allows attackers to bypass authentication and potentially leak client credentials. This affects any system using vulnerable wolfSSH client implementations for SSH connections. The vulnerability enables man-in-the-middle attacks against SSH sessions.

📋 TL;DR

An improper host authentication vulnerability in wolfSSH clients up to version 1.4.20 allows attackers to bypass authentication and potentially leak client credentials. This affects any system using vulnerable wolfSSH client implementations for SSH connections. The vulnerability enables man-in-the-middle attacks against SSH sessions.

💻 Affected Systems

Products:

wolfSSH client

Versions: 1.4.20 and earlier

Operating Systems: All platforms running wolfSSH client

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects wolfSSH client implementations, not server implementations. Applications using wolfSSH library for SSH client functionality are vulnerable.

📦 What is this software?

Wolfssh by Wolfssh

View all CVEs affecting Wolfssh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SSH sessions allowing credential theft, data interception, and unauthorized access to systems the client connects to.

🟠

Likely Case

Credential theft and session hijacking when clients connect through untrusted networks or to malicious servers.

🟢

If Mitigated

Limited impact if connections only occur within trusted networks with proper certificate validation.

🌐 Internet-Facing: HIGH - Clients connecting to internet-facing SSH servers are vulnerable to man-in-the-middle attacks.

🏢 Internal Only: MEDIUM - Internal network attacks still possible if attackers gain network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires man-in-the-middle position or ability to redirect client connections. The vulnerability is in host key verification logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.21 or later

Vendor Advisory: https://github.com/wolfSSL/wolfssh/pull/840

Restart Required: Yes

Instructions:

1. Update wolfSSH to version 1.4.21 or later. 2. Recompile any applications using wolfSSH library. 3. Restart affected applications/services.

🔧 Temporary Workarounds

Disable vulnerable SSH connections

all

Temporarily disable SSH client functionality using wolfSSH until patched

Use alternative SSH client

all

Replace wolfSSH client with OpenSSH or other validated SSH implementations

🧯 If You Can't Patch

Restrict SSH connections to trusted networks only
Implement certificate pinning or strict host key checking if supported

🔍 How to Verify

Check if Vulnerable:

Check wolfSSH version: wolfssh-config --version or examine library version in application

Check Version:

wolfssh-config --version

Verify Fix Applied:

Verify version is 1.4.21 or later and test SSH connections with invalid host keys (should fail)

📡 Detection & Monitoring

Log Indicators:

Failed host key verification attempts
Unexpected SSH connection successes

Network Indicators:

SSH connections to unexpected hosts
Man-in-the-middle attack patterns

SIEM Query:

source="ssh" AND (event="connection_success" OR event="auth_bypass")

📊 Metadata

CVE ID: CVE-2025-11625

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

EPSS Score: 0.09% exploit probability (26.2th percentile)

Published: October 21, 2025

Last Updated: December 4, 2025

🔗 References

https://github.com/wolfSSL/wolfssh/pull/840 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11625, you might also want to check these: