CVE-2025-32728 — Expected Behavior Violation in Openssh

CWE-440 — Expected Behavior Violation9 documents9 sources

Severity

3.8LOWNVD

CNA4.3

EPSS

0.3%

top 49.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openbsd Openssh Debian Linux

Timeline

PublishedApr 10

Latest updateOct 15

Description

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 2.0 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5openbsd/openssh7.4 — 10.0

▶NVDopenbsd/openssh7.4 — 10.0

▶Debianopenbsd/openssh< 1:8.4p1-5+deb11u5+3

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-26mg-p594-q328: In sshd in OpenSSH before 10↗2025-04-10

▶

CVEList

CVE-2025-32728: In sshd in OpenSSH before 10↗2025-04-10

▶

OSV

CVE-2025-32728: In sshd in OpenSSH before 10↗2025-04-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Sysadmin (OpenSSH) — CVE-2025-32728↗2025-10-15

▶

Ubuntu

OpenSSH vulnerability↗2025-04-24

▶

Red Hat

openssh: OpenSSH SSHD Agent Forwarding and X11 Forwarding↗2025-04-10

▶

Microsoft

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.↗2025-04-08

▶

Debian

CVE-2025-32728: openssh - In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere ...↗2025

▶