{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openssh-project/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":3.7,"id":"CVE-2026-60000"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenSSH \u003c 10.4","sshd"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","ssh","openssh","network-attack"],"_cs_type":"advisory","_cs_vendors":["OpenSSH Project"],"content_html":"\u003cp\u003eA significant denial-of-service (DoS) vulnerability, identified as CVE-2026-60000, has been disclosed affecting the \u003ccode\u003esshd\u003c/code\u003e component of OpenSSH. This flaw impacts all OpenSSH versions before 10.4. Attackers can exploit this vulnerability remotely by initiating excessive authentication attempts specifically utilizing the GSSAPI authentication mechanism. The \u003ccode\u003esshd\u003c/code\u003e service mishandles the \u003ccode\u003eMaxAuthTries\u003c/code\u003e configuration for GSSAPIAuthentication, failing to properly limit or terminate these attempts. This oversight allows a malicious actor to continuously flood the server with GSSAPI requests, consuming disproportionate system resources such as CPU and memory, thereby causing the \u003ccode\u003esshd\u003c/code\u003e service, and potentially the entire host system, to become unresponsive. The vulnerability is particularly concerning due to its ease of exploitation and potential for widespread disruption in environments relying on OpenSSH for secure remote access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an internet-facing server running a vulnerable version of OpenSSH \u003ccode\u003esshd\u003c/code\u003e (prior to 10.4).\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a remote SSH connection to the target server, typically on port 22.\u003c/li\u003e\n\u003cli\u003eDuring the authentication phase, the attacker specifically attempts to authenticate using the GSSAPI mechanism.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OpenSSH \u003ccode\u003esshd\u003c/code\u003e daemon processes the incoming GSSAPI authentication requests.\u003c/li\u003e\n\u003cli\u003eDue to the mishandling of the \u003ccode\u003eMaxAuthTries\u003c/code\u003e configuration for GSSAPIAuthentication (CVE-2026-60000), the server fails to properly count, limit, or terminate these authentication attempts.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this bypass by repeatedly sending a high volume of GSSAPI authentication attempts to the target server in rapid succession.\u003c/li\u003e\n\u003cli\u003eThe continuous, unmitigated processing of these excessive requests consumes a significant amount of the target server's CPU and memory resources.\u003c/li\u003e\n\u003cli\u003eThe resource exhaustion ultimately leads to the OpenSSH \u003ccode\u003esshd\u003c/code\u003e service becoming unresponsive, preventing legitimate users from establishing SSH connections and causing a complete denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-60000 results in a severe denial of service, rendering the affected OpenSSH server inaccessible to legitimate users. This can lead to significant operational disruption for organizations that rely on SSH for remote administration, file transfers, and other critical services. The impact can range from temporary unavailability of specific services to a complete outage of the host system, depending on the severity of resource exhaustion. While no specific victim counts or targeted sectors have been disclosed, any organization using vulnerable OpenSSH versions is at risk, potentially affecting thousands of servers globally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching CVE-2026-60000 by updating all OpenSSH installations to version 10.4 or later immediately.\u003c/li\u003e\n\u003cli\u003eMonitor SSH server logs for an unusually high volume of failed GSSAPI authentication attempts from single source IPs to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement network-level rate limiting or intrusion prevention system (IPS) rules to detect and block excessively high rates of SSH connection attempts targeting port 22, especially those initiating GSSAPI authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T07:42:09Z","date_published":"2026-07-09T07:42:09Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openssh-dos/","summary":"A high-severity denial-of-service vulnerability, CVE-2026-60000, affects OpenSSH versions prior to 10.4, allowing remote attackers to exhaust server resources through excessive and mishandled GSSAPI authentication attempts, leading to service unavailability.","title":"OpenSSH sshd Denial-of-Service via GSSAPI Authentication (CVE-2026-60000)","url":"https://feed.craftedsignal.io/briefs/2026-07-openssh-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenSSH Project","version":"https://jsonfeed.org/version/1.1"}