CVE-2025-32728
published 2025-04-10CVE-2025-32728: In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
PriorityP415low3.8CVSS 3.1
AVLACLPRLUINSCCNILAN
EPSS
0.15%
4.4th percentile
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | openssh | < openssh 1:9.2p1-2+deb12u6 (bookworm) | openssh 1:9.2p1-2+deb12u6 (bookworm) |
| msrc | azl3_openssh_9.8p1-4_on_azure_linux_3.0 | — | — |
| msrc | cbl2_openssh_8.9p1-8_on_cbl_mariner_2.0 | — | — |
| openbsd | openssh | >= 0 < 1:8.4p1-5+deb11u5 | 1:8.4p1-5+deb11u5 |
| openbsd | openssh | >= 0 < 1:9.2p1-2+deb12u6 | 1:9.2p1-2+deb12u6 |
| openbsd | openssh | >= 0 < 1:10.0p1-1 | 1:10.0p1-1 |
| openbsd | openssh | >= 0 < 1:10.0p1-1 | 1:10.0p1-1 |
| openbsd | openssh | >= 7.4 < 10.0 | 10.0 |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.13.8LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
osv3.8LOW
vendor_debian4.3MEDIUM
vendor_msrc4.3MEDIUM
vendor_redhat4.3MEDIUM
vendor_oracle3.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Risk Matrix: Sysadmin (OpenSSH) — CVE-2025-32728
vendor_oracle·2025-10-15·CVSS 3.8
CVE-2025-32728 [MEDIUM] Oracle Oracle Communications Risk Matrix: Sysadmin (OpenSSH) — CVE-2025-32728
Oracle Oracle Communications Risk Matrix: Sysadmin (OpenSSH) vulnerability
CVE: CVE-2025-32728
CVSS: 3.8
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuoct2025 (OCT 2025)
Ubuntu
OpenSSH vulnerability
vendor_ubuntu·2025-04-24
CVE-2025-32728 OpenSSH vulnerability
Title: OpenSSH vulnerability
Summary: OpenSSH could allow unintended access to network services.
It was discovered that OpenSSH incorrectly handled the DisableForwarding
directive. The directive would fail to disable X11 and agent forwarding,
contrary to documentation and expectations.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
openssh: OpenSSH SSHD Agent Forwarding and X11 Forwarding
vendor_redhat·2025-04-10·CVSS 4.3
CVE-2025-32728 [MEDIUM] CWE-440 openssh: OpenSSH SSHD Agent Forwarding and X11 Forwarding
openssh: OpenSSH SSHD Agent Forwarding and X11 Forwarding
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
A flaw was found in OpenSSH. In affected versions of sshd, the DisableForwarding directive does not fully adhere to the intended functionality as documented. Specifically, it fails to disable X11 and agent forwarding, which may allow unintended access under certain configurations.
Mitigation: To mitigate this vulnerability, explicitly disable X11 and agent forwarding in your SSH configuration (sshd_config) using:
X11Forwarding no
AllowAgentForwarding no
Package: openssh (Red Hat Enterprise Linux 6) - Fix deferred
Package: openssh (Red Hat Enterprise Linux 7) - Fix deferred
Pack
Microsoft
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
vendor_msrc·2025-04-08·CVSS 4.3
CVE-2025-32728 [MEDIUM] CWE-440 In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: m
Palo Alto
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2025-02-12·CVSS 7.1
CVE-2015-5312 [HIGH] PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
T he Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2015-5312, CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4738, CVE-2018-1111, CVE-2018-14634, CVE-2018-18653, CVE-2019-0145, CVE-2019-8331, CVE-2020-0599, CVE-2020-14343, CVE-2020-14779, CVE-2020-27844, CVE-2020-29569, CVE-2021-21315, CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, CVE-2021-27862, CVE-2021-3618, CVE-2021-3711, CVE-2022-2097, CVE-2022-22816, CVE-2022-40303, CVE-2022-41723, CVE-2022-41741, CVE-2022-41742, CVE-2023-3247, CVE-2023-38408, CVE-2023-44466, CVE-2023-50781, CVE-2023-50782, CVE-2024-12084, CV
Debian
CVE-2025-32728: openssh - In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere ...
vendor_debian·2025·CVSS 4.3
CVE-2025-32728 [MEDIUM] CVE-2025-32728: openssh - In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere ...
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
Scope: local
bookworm: resolved (fixed in 1:9.2p1-2+deb12u6)
bullseye: resolved (fixed in 1:8.4p1-5+deb11u5)
forky: resolved (fixed in 1:10.0p1-1)
sid: resolved (fixed in 1:10.0p1-1)
trixie: resolved (fixed in 1:10.0p1-1)
GHSA
GHSA-26mg-p594-q328: In sshd in OpenSSH before 10
ghsa_unreviewed·2025-04-10
CVE-2025-32728 [MEDIUM] CWE-440 GHSA-26mg-p594-q328: In sshd in OpenSSH before 10
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
OSV
CVE-2025-32728: In sshd in OpenSSH before 10
osv·2025-04-10·CVSS 3.8
CVE-2025-32728 [LOW] CVE-2025-32728: In sshd in OpenSSH before 10
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
No detection rules found.
No public exploits indexed.
https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sighttps://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.htmlhttps://www.openssh.com/txt/release-10.0https://www.openssh.com/txt/release-7.4https://lists.debian.org/debian-lts-announce/2025/05/msg00008.htmlhttps://security.netapp.com/advisory/ntap-20250425-0002/
2025-04-10
Published