{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2025-14821/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-14821"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libssh","mitm","windows","cve-2025-14821","insecure-configuration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-14821, has been identified in the libssh library. This flaw arises from an insecure default configuration on Windows systems. Specifically, libssh automatically loads configuration files from the \u003ccode\u003eC:\\etc\u003c/code\u003e directory. Critically, this directory can be created and modified by unprivileged local users. This allows a malicious local user to manipulate the SSH configuration, facilitating man-in-the-middle attacks, downgrading connection security, and manipulating trusted host information. Successful exploitation grants attackers the ability to intercept and potentially modify SSH communications, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates the directory \u003ccode\u003eC:\\etc\u003c/code\u003e if it does not already exist.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious SSH configuration file (e.g., \u003ccode\u003essh_config\u003c/code\u003e) within the \u003ccode\u003eC:\\etc\u003c/code\u003e directory. This configuration can specify settings to downgrade encryption or redirect connections.\u003c/li\u003e\n\u003cli\u003eA legitimate user initiates an SSH connection using an application that leverages the vulnerable libssh library.\u003c/li\u003e\n\u003cli\u003elibssh automatically loads the attacker-controlled configuration file from \u003ccode\u003eC:\\etc\\ssh_config\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious configuration settings are applied, potentially downgrading the encryption algorithm used for the SSH connection.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the SSH traffic, performing a man-in-the-middle attack due to the weakened encryption or connection redirection.\u003c/li\u003e\n\u003cli\u003eThe attacker can now eavesdrop on or modify the SSH communication, gaining unauthorized access to sensitive information or injecting malicious commands.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistent access or exfiltrates sensitive data obtained through the compromised SSH session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-14821 allows a local attacker to perform man-in-the-middle attacks on SSH connections. This can lead to the compromise of sensitive data transmitted over SSH, such as credentials, configuration files, or confidential documents. The ability to manipulate trusted host information further exacerbates the risk, potentially allowing attackers to impersonate legitimate servers. The vulnerability affects any Windows system using a vulnerable version of libssh and could impact organizations across all sectors that rely on SSH for secure communication and remote administration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation or modification of files within the \u003ccode\u003eC:\\etc\u003c/code\u003e directory, particularly configuration files like \u003ccode\u003essh_config\u003c/code\u003e, using file integrity monitoring (FIM) rules on Windows systems.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided to detect the creation of the \u003ccode\u003eC:\\etc\u003c/code\u003e directory by non-system processes.\u003c/li\u003e\n\u003cli\u003eRestrict write access to the \u003ccode\u003eC:\\etc\u003c/code\u003e directory and its contents using appropriate file system permissions on Windows systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:25Z","date_published":"2026-04-07T17:16:25Z","id":"/briefs/2026-04-libssh-mitm/","summary":"CVE-2025-14821 in libssh allows local man-in-the-middle attacks, SSH downgrade attacks, and trusted host manipulation due to insecure default configuration loading from a world-writable directory on Windows.","title":"libssh Insecure Configuration Allows Local MITM Attacks (CVE-2025-14821)","url":"https://feed.craftedsignal.io/briefs/2026-04-libssh-mitm/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2025-14821","version":"https://jsonfeed.org/version/1.1"}