THE INFORMATION IN THIS ARTICLE APPLIES TO:
QUESTION
Is EFT vulnerable to OpenSSH 9.5 vulnerability CVE-2025-26465 (VerifyHostKeyDNS)?
ANSWER
No. After thorough review, Globalscape development confirmed that EFT code base does not use the ssh client application of OpenSSH, so EFT is not vulnerable to that specific vulnerability. In any event, Globalscape Engineering will update our OpenSSH library from 9.5.0 to version 9.9p2 in a future release.
MORE INFORMATION
CVE-2025-26465 [Medium severity] 18th February 2025: A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.