CVE-2025-30095
📋 TL;DR
This vulnerability allows attackers to conduct man-in-the-middle attacks against SSH connections using Dropbear, as affected systems share identical private host keys across installations. It impacts VyOS 1.3 through 1.5 (fixed in 1.4.2) and potentially any Debian-based Linux distribution using Dropbear with live-build. The console service in VyOS uses Dropbear by default, while the system SSH daemon does not.
💻 Affected Systems
- VyOS
- Debian-based Linux distributions
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept and decrypt SSH traffic, potentially gaining unauthorized access to systems, stealing credentials, and compromising sensitive data.
Likely Case
Targeted attacks against organizations using vulnerable configurations, leading to credential theft and unauthorized access to network devices.
If Mitigated
Limited impact if proper key management is implemented or if Dropbear is not used for critical SSH services.
🎯 Exploit Status
Exploitation requires network access to intercept SSH traffic; attackers need to position themselves as man-in-the-middle.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: VyOS 1.4.2 or latest versions of 1.4/1.5
Vendor Advisory: https://blog.vyos.io/vyos-project-march-2025-update
Restart Required: Yes
Instructions:
Update to VyOS 1.4.2 or latest versions of 1.4/1.5. For Debian-based systems, update dropbear and live-build packages to versions with fixes.
🔧 Temporary Workarounds
Regenerate Dropbear Host Keys
linuxRemove existing keys and generate new unique RSA host keys for Dropbear.
rm -f /etc/dropbear/*key*
rm -f /etc/dropbear-initramfs/*key*
dropbearkey -t rsa -s 4096 -f /etc/dropbear_rsa_host_key
🧯 If You Can't Patch
- Disable Dropbear SSH daemon and use OpenSSH instead if possible.
- Implement network segmentation and monitoring to detect man-in-the-middle attacks.
🔍 How to Verify
Check if Vulnerable:
Check if Dropbear is enabled and compare host keys across systems; identical keys indicate vulnerability.Check Version:
vyos-version (for VyOS) or dpkg -l | grep -E "(dropbear|live-build)" (for Debian-based systems)Verify Fix Applied:
Verify new unique host keys exist in /etc/dropbear/ and /etc/dropbear-initramfs/, and confirm system is updated to patched versions.📡 Detection & Monitoring
Log Indicators:
- Unexpected SSH connection failures or warnings about host key mismatches in logs.
Network Indicators:
- Anomalous network traffic patterns indicative of man-in-the-middle attacks on SSH ports.
SIEM Query:
Example: search for events where SSH host key changes or mismatches are logged across multiple systems.