{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/libssh/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":5.5,"id":"CVE-2026-0967"}],"_cs_exploited":false,"_cs_products":["libssh"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","libssh","CVE-2026-0967","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-0967 is a denial-of-service (DoS) vulnerability affecting libssh, a library implementing the SSH protocol. The root cause lies in the inefficient processing of regular expressions within the library\u0026rsquo;s code. An attacker could exploit this vulnerability by sending specially crafted input that triggers excessive resource consumption during regular expression matching, leading to a denial of service. Successful exploitation could potentially enable defense evasion by overwhelming security controls and negatively impacting the availability of systems relying on the vulnerable libssh library. The vulnerability affects both Linux and Windows platforms where libssh is used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a service or application utilizing a vulnerable version of libssh.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input string designed to trigger inefficient regular expression processing within libssh.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted input to the vulnerable service via a network connection (e.g., SSH).\u003c/li\u003e\n\u003cli\u003eThe libssh library attempts to process the malicious input using its regular expression engine.\u003c/li\u003e\n\u003cli\u003eThe inefficient regular expression causes excessive CPU consumption or memory allocation.\u003c/li\u003e\n\u003cli\u003eThe vulnerable service becomes unresponsive due to resource exhaustion, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eSubsequent legitimate requests to the service are blocked or delayed, further exacerbating the impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0967 can result in a denial-of-service condition, rendering affected services or applications unavailable. The impact scope depends on the role of the affected system. For example, a critical server becoming unavailable could disrupt business operations. While the number of potential victims is unknown, any system utilizing a vulnerable version of libssh is susceptible. The defense evasion aspect could allow attackers to bypass security controls during the DoS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify systems using libssh and determine the installed version.\u003c/li\u003e\n\u003cli\u003eApply available patches or updates for libssh to remediate CVE-2026-0967 as released by Microsoft.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Libssh Regex Processing\u0026rdquo; to monitor for potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor CPU and memory usage on systems running libssh for unusual spikes, which may indicate a DoS attack.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on services using libssh to mitigate the impact of DoS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T07:16:39Z","date_published":"2026-05-01T07:16:39Z","id":"/briefs/2024-01-libssh-dos/","summary":"CVE-2026-0967 is a denial-of-service vulnerability in libssh, stemming from inefficient regular expression processing that could lead to defense evasion and impact availability on affected systems.","title":"Libssh Denial-of-Service Vulnerability via Inefficient Regular Expression Processing (CVE-2026-0967)","url":"https://feed.craftedsignal.io/briefs/2024-01-libssh-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libssh","vulnerability","dos","file_manipulation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe libssh library, a widely used implementation of the SSH protocol, contains several vulnerabilities that could be exploited by a malicious actor. These vulnerabilities could allow an attacker to manipulate files on a system utilizing the vulnerable library, or cause a denial-of-service (DoS) condition, rendering the system or service unavailable. Given the widespread use of libssh in various applications and systems, these vulnerabilities pose a significant risk to organizations relying on this library for secure communication. The impact ranges from unauthorized data modification to complete service outages, impacting availability and data integrity. Publicly available exploit code may exist, increasing the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a system using a vulnerable version of libssh.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an SSH connection to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability in libssh related to file handling (specific CVE details unavailable from provided source), potentially through crafted SSH commands.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to modify arbitrary files on the system, potentially including configuration files or application data.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits a vulnerability related to resource management within libssh to trigger a denial-of-service.\u003c/li\u003e\n\u003cli\u003eThis DoS is achieved by sending a specific sequence of SSH requests that consume excessive resources, such as memory or CPU time.\u003c/li\u003e\n\u003cli\u003eThe targeted service becomes unresponsive, preventing legitimate users from accessing it.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains the DoS condition, disrupting the target\u0026rsquo;s operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these libssh vulnerabilities can have severe consequences. File manipulation could lead to data corruption, unauthorized access, or system compromise. A denial-of-service attack could disrupt critical services, leading to financial losses, reputational damage, and operational downtime. The number of potential victims is vast, considering the widespread use of libssh in servers, network devices, and embedded systems. The targeted systems and sectors are not specified in the source material.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement network monitoring to detect unusual SSH traffic patterns that may indicate exploitation attempts (review existing firewall and network connection logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousSSHClientVersion\u003c/code\u003e to identify potentially malicious SSH clients connecting to your systems.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unexpected file modifications, focusing on configuration files and application data (enable file integrity monitoring).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T10:29:59Z","date_published":"2026-04-16T10:29:59Z","id":"/briefs/2026-04-libssh-vulns/","summary":"Multiple vulnerabilities in libssh allow an attacker to manipulate files or cause a denial-of-service condition, potentially leading to data corruption or service disruption.","title":"Multiple Vulnerabilities in libssh Allow File Manipulation and DoS","url":"https://feed.craftedsignal.io/briefs/2026-04-libssh-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-14821"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libssh","mitm","windows","cve-2025-14821","insecure-configuration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-14821, has been identified in the libssh library. This flaw arises from an insecure default configuration on Windows systems. Specifically, libssh automatically loads configuration files from the \u003ccode\u003eC:\\etc\u003c/code\u003e directory. Critically, this directory can be created and modified by unprivileged local users. This allows a malicious local user to manipulate the SSH configuration, facilitating man-in-the-middle attacks, downgrading connection security, and manipulating trusted host information. Successful exploitation grants attackers the ability to intercept and potentially modify SSH communications, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates the directory \u003ccode\u003eC:\\etc\u003c/code\u003e if it does not already exist.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious SSH configuration file (e.g., \u003ccode\u003essh_config\u003c/code\u003e) within the \u003ccode\u003eC:\\etc\u003c/code\u003e directory. This configuration can specify settings to downgrade encryption or redirect connections.\u003c/li\u003e\n\u003cli\u003eA legitimate user initiates an SSH connection using an application that leverages the vulnerable libssh library.\u003c/li\u003e\n\u003cli\u003elibssh automatically loads the attacker-controlled configuration file from \u003ccode\u003eC:\\etc\\ssh_config\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious configuration settings are applied, potentially downgrading the encryption algorithm used for the SSH connection.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the SSH traffic, performing a man-in-the-middle attack due to the weakened encryption or connection redirection.\u003c/li\u003e\n\u003cli\u003eThe attacker can now eavesdrop on or modify the SSH communication, gaining unauthorized access to sensitive information or injecting malicious commands.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistent access or exfiltrates sensitive data obtained through the compromised SSH session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-14821 allows a local attacker to perform man-in-the-middle attacks on SSH connections. This can lead to the compromise of sensitive data transmitted over SSH, such as credentials, configuration files, or confidential documents. The ability to manipulate trusted host information further exacerbates the risk, potentially allowing attackers to impersonate legitimate servers. The vulnerability affects any Windows system using a vulnerable version of libssh and could impact organizations across all sectors that rely on SSH for secure communication and remote administration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation or modification of files within the \u003ccode\u003eC:\\etc\u003c/code\u003e directory, particularly configuration files like \u003ccode\u003essh_config\u003c/code\u003e, using file integrity monitoring (FIM) rules on Windows systems.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided to detect the creation of the \u003ccode\u003eC:\\etc\u003c/code\u003e directory by non-system processes.\u003c/li\u003e\n\u003cli\u003eRestrict write access to the \u003ccode\u003eC:\\etc\u003c/code\u003e directory and its contents using appropriate file system permissions on Windows systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:25Z","date_published":"2026-04-07T17:16:25Z","id":"/briefs/2026-04-libssh-mitm/","summary":"CVE-2025-14821 in libssh allows local man-in-the-middle attacks, SSH downgrade attacks, and trusted host manipulation due to insecure default configuration loading from a world-writable directory on Windows.","title":"libssh Insecure Configuration Allows Local MITM Attacks (CVE-2025-14821)","url":"https://feed.craftedsignal.io/briefs/2026-04-libssh-mitm/"}],"language":"en","title":"CraftedSignal Threat Feed — Libssh","version":"https://jsonfeed.org/version/1.1"}