CVE-2025-32728 – OpenSSH versions before 10.0 have a bug where t... (How to Fix)

Q: What is the severity of CVE-2025-32728?

CVE-2025-32728 has a CVSS score of 4.3 (MEDIUM). OpenSSH versions before 10.0 have a bug where the DisableForwarding directive fails to properly disable X11 and agent forwarding as documented. This affects systems using OpenSSH with DisableForwarding configured, potentially allowing unauthorized forwarding despite explicit configuration.

📋 TL;DR

OpenSSH versions before 10.0 have a bug where the DisableForwarding directive fails to properly disable X11 and agent forwarding as documented. This affects systems using OpenSSH with DisableForwarding configured, potentially allowing unauthorized forwarding despite explicit configuration.

💻 Affected Systems

Products:

OpenSSH

Versions: All versions before 10.0

Operating Systems: All operating systems running OpenSSH

Default Config Vulnerable: ✅ No

Notes: Only affects systems where DisableForwarding directive is explicitly configured in sshd_config.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Openssh by Openbsd

View all CVEs affecting Openssh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could bypass forwarding restrictions to tunnel X11 sessions or SSH agent connections, potentially accessing sensitive data or pivoting to other systems.

🟠

Likely Case

Limited impact since exploitation requires authenticated access and specific misconfiguration; most likely results in unintended forwarding capabilities rather than direct compromise.

🟢

If Mitigated

Minimal impact if proper network segmentation and access controls are in place, as the vulnerability only affects forwarding functionality.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated SSH access and knowledge of the misconfiguration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenSSH 10.0

Vendor Advisory: https://www.openssh.com/txt/release-10.0

Restart Required: Yes

Instructions:

1. Upgrade OpenSSH to version 10.0 or later. 2. Restart sshd service. 3. Verify configuration.

🔧 Temporary Workarounds

Disable forwarding explicitly

linux

Manually disable X11Forwarding and AllowAgentForwarding in sshd_config

echo 'X11Forwarding no' >> /etc/ssh/sshd_config
echo 'AllowAgentForwarding no' >> /etc/ssh/sshd_config
systemctl restart sshd

🧯 If You Can't Patch

Remove DisableForwarding directive and explicitly set X11Forwarding no and AllowAgentForwarding no
Implement network-level restrictions on forwarding ports

🔍 How to Verify

Check if Vulnerable:

Check sshd version with 'sshd -V 2>&1 | head -1' and verify if below 10.0 AND DisableForwarding is configured in sshd_config

Check Version:

sshd -V 2>&1 | head -1

Verify Fix Applied:

Verify sshd version is 10.0+ and test forwarding functionality with DisableForwarding enabled

📡 Detection & Monitoring

Log Indicators:

Successful X11 or agent forwarding sessions when DisableForwarding is configured

Network Indicators:

Unexpected X11 or SSH agent connections from restricted hosts

SIEM Query:

source="sshd" AND ("X11 forwarding" OR "agent forwarding")

📊 Metadata

CVE ID: CVE-2025-32728

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWE: CWE-440

EPSS Score: 0.27% exploit probability (50.4th percentile)

Published: April 10, 2025

Last Updated: May 22, 2025

🔗 References

https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig Product
https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367 Patch
https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html Mailing List,Product,Release Notes
https://www.openssh.com/txt/release-10.0 Release Notes
https://www.openssh.com/txt/release-7.4 Release Notes
https://lists.debian.org/debian-lts-announce/2025/05/msg00008.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20250425-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32728, you might also want to check these: