Pre-authentication Denial of Service attack in OpenSSH - CVE-2025-26466

Act Now5.9FG-IR-25-122Mar 11, 2025

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in OpenSSH affects multiple Fortinet management and infrastructure products. An attacker can send crafted packets to the SSH service to cause a denial of service, crashing the daemon and preventing remote administrative access. The attack requires only network access to the SSH port and no valid credentials.

What this means

What could happen

An attacker can send specially crafted packets to crash OpenSSH services on affected Fortinet devices, causing a denial of service and disrupting remote management access. If these devices manage critical infrastructure operations, temporary loss of management connectivity could impact your ability to respond to network issues or operational changes.

Who's at risk

Organizations using Fortinet management and infrastructure devices including FortiManager, FortiAnalyzer, FortiADC, FortiExtender, FortiNDR, FortiSandbox, FortiSwitch, FortiWeb, and FortiVoice should assess their deployments. These are primarily management and security appliances; impact is greatest if they are your centralized management points for network or security infrastructure, or if they are internet-facing.

How it could be exploited

An attacker with network access to the SSH service (typically port 22) can send malformed packets that trigger a crash in the OpenSSH daemon before authentication occurs. No valid credentials are required. This can be repeated to continuously crash the service, preventing legitimate administrators from logging in.

Prerequisites

Network access to SSH port (default 22)
No credentials required

remotely exploitableno authentication requiredaffects management systemsaffects multiple product lines

Exploitability

Likely to be exploited — EPSS score 60.4%

Affected products (37)

36 with fix1 EOL

ProductAffected VersionsFix Status

FortiADC7.6.17.6.2+

FortiADCManager7.6.07.6.1+

FortiAIOps2.1 all versionsMigrate to fixed release

FortiAIOps2.0.1 - 2.0.2Migrate to fixed release

FortiAnalyzer7.6.0 - 7.6.27.6.3+

Remediation & Mitigation

0/12

Do now

0/1

WORKAROUNDRestrict SSH access to management port 22 via firewall rules—allow only from trusted administrative networks and block public access

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/1

FortiDDoS-F has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor FortiAIOps 2.0.1–2.0.2, FortiAnalyzer 7.0.x and 6.4.x, FortiExtender 7.2.x and 7.0.x, FortiManager 7.0.x and 6.4.x, FortiNDR 7.2.x and 7.0.x, FortiSandbox 4.2.x, and FortiSwitch 7.2.x (versions with no patched release available): plan migration to a supported version with a published fix

CVEs (1)

CVE-2025-26466

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e569c6bc-cc62-41d8-8649-659de9dff069

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.