CVE-2025-5372 – A vulnerability in libssh versions built with O... (How to Fix)

Q: How do I fix CVE-2025-5372?

1. Check if system uses libssh built with OpenSSL <3.0. 2. Apply vendor patches from Red Hat advisories RHSA-2025:21977 or RHSA-2025:23024. 3. Restart SSH services and applications using libssh. 4. Recompile libssh with OpenSSL 3.0+ if building from source.

Q: What is the severity of CVE-2025-5372?

CVE-2025-5372 has a CVSS score of 5.0 (MEDIUM). A vulnerability in libssh versions built with OpenSSL <3.0 causes the ssh_kdf() function to incorrectly report successful key derivation when it actually fails. This leads to uninitialized cryptographic keys being used in SSH sessions, potentially allowing attackers to compromise session confidentiality, integrity, and availability. Affected systems include those running vulnerable libssh versions compiled with older OpenSSL libraries.

📋 TL;DR

A vulnerability in libssh versions built with OpenSSL <3.0 causes the ssh_kdf() function to incorrectly report successful key derivation when it actually fails. This leads to uninitialized cryptographic keys being used in SSH sessions, potentially allowing attackers to compromise session confidentiality, integrity, and availability. Affected systems include those running vulnerable libssh versions compiled with older OpenSSL libraries.

💻 Affected Systems

Products:

libssh

Versions: libssh versions built with OpenSSL versions older than 3.0

Operating Systems: Linux distributions using affected libssh packages, Any OS with vulnerable libssh compilation

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects libssh compiled with OpenSSL <3.0. Systems using other cryptographic backends or OpenSSL 3.0+ are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of SSH session security allowing man-in-the-middle attacks, session hijacking, and decryption of sensitive data transmitted over SSH.

🟠

Likely Case

Degraded cryptographic protection leading to potential information disclosure or session manipulation in targeted attacks.

🟢

If Mitigated

Limited impact due to network segmentation, proper key management, and monitoring of SSH sessions.

🌐 Internet-Facing: MEDIUM - SSH servers exposed to internet could be targeted, but exploitation requires specific conditions and timing.

🏢 Internal Only: LOW - Internal SSH sessions are less likely to be targeted unless an attacker has internal access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to be in a position to intercept or manipulate SSH traffic during vulnerable key derivation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisories for specific patched versions

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-5372

Restart Required: Yes

Instructions:

1. Check if system uses libssh built with OpenSSL <3.0. 2. Apply vendor patches from Red Hat advisories RHSA-2025:21977 or RHSA-2025:23024. 3. Restart SSH services and applications using libssh. 4. Recompile libssh with OpenSSL 3.0+ if building from source.

🔧 Temporary Workarounds

Recompile with OpenSSL 3.0+

linux

Rebuild libssh with OpenSSL version 3.0 or newer to avoid the vulnerable code path

# Rebuild libssh with OpenSSL 3.0+
# Example for source build:
./configure --with-openssl=/path/to/openssl-3.0+
make
make install

Use alternative SSH implementations

all

Temporarily switch to OpenSSH or other SSH implementations not using vulnerable libssh

🧯 If You Can't Patch

Implement network segmentation to isolate SSH traffic
Enable enhanced monitoring and alerting for SSH session anomalies

🔍 How to Verify

Check if Vulnerable:

Check libssh version and linked OpenSSL version: ldd /path/to/libssh.so | grep libcrypto && strings /path/to/libssh.so | grep 'OpenSSL'

Check Version:

rpm -q libssh || dpkg -l libssh* || find / -name '*libssh*' -type f | xargs ldd 2>/dev/null | grep -i openssl

Verify Fix Applied:

Verify patched version is installed and linked to OpenSSL 3.0+: rpm -q libssh --changelog | grep CVE-2025-5372

📡 Detection & Monitoring

Log Indicators:

SSH connection failures with cryptographic errors
Unusual SSH session termination patterns
Failed key exchange attempts

Network Indicators:

Abnormal SSH traffic patterns during key exchange
SSH protocol anomalies in packet captures

SIEM Query:

source="ssh_logs" AND (error OR failure) AND (key OR crypto OR derivation)

📊 Metadata

CVE ID: CVE-2025-5372

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-682

EPSS Score: 0.06% exploit probability (19.5th percentile)

Published: July 4, 2025

Last Updated: December 10, 2025

🔗 References

https://access.redhat.com/errata/RHSA-2025:21977
https://access.redhat.com/errata/RHSA-2025:23024
https://access.redhat.com/security/cve/CVE-2025-5372 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2369388 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5372, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Libssh by Libssh

Openshift Container Platform by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Recompile with OpenSSL 3.0+

Use alternative SSH implementations

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities