CVE-2025-14821
Published: March 13, 2026Last modified: March 16, 2026
Description
A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7 |
| Attack Vector | LOCAL |
| Attack complexity | HIGH |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Notes
Only affects libssh on Windows.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | libssh | Not affected (0.10.4-r0) |
| 25 LTS | libssh | Not affected (0.11.1-r0) | |
| Stream | libssh | Not affected (0.9.6-r1) |