CVE-2025-67427: regreSSHion: The Ghost of Vulnerabilities Past Haunts OpenSSH

regreSSHion: The Ghost of Vulnerabilities Past Haunts OpenSSH

Vulnerability ID: CVE-2025-67427
CVSS Score: 8.1
Published: 2026-01-05

A signal handler race condition in OpenSSH's server (sshd) allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems. This is a regression of a vulnerability originally fixed in 2006 (CVE-2006-5051).

TL;DR

OpenSSH's sshd server has a race condition in its SIGALRM handler. If a client disconnects precisely when the LoginGraceTime expires, the signal handler calls non-async-signal-safe functions (syslog). This corrupts the glibc heap, leading to potential RCE as root. It affects versions 8.5p1 through 9.7p1.

---

⚠️ Exploit Status: WEAPONIZED

Technical Details

• CWE ID: CWE-364
• Attack Vector: Network
• CVSS v3.1: 8.1
• Impact: Remote Code Execution (Root)
• Exploit Status: High Complexity PoC
• Architecture: x86 (glibc)

Affected Systems

• Linux systems using glibc
• OpenSSH Server 8.5p1 through 9.7p1
• OpenSSH: >= 8.5p1, < 9.8p1 (Fixed in: 9.8p1)

Code Analysis

Commit: 81c1099

Remove syslog call from signal handler

- syslog(LOG_INFO, ...)
+ // code removed for safety

Exploit Details

• Qualys Security Advisory: Detailed technical analysis and exploitation strategy by Qualys Threat Research Unit.

Mitigation Strategies

• Disable the LoginGraceTime timer (temporary)
• Apply vendor patches immediately
• Restrict SSH access via firewall/VPN

Remediation Steps:

1. Check current version: ssh -V
2. If version is between 8.5p1 and 9.7p1, apply patch.
3. Edit /etc/ssh/sshd_config and set LoginGraceTime 0 if patching is delayed.
4. Restart the sshd service: systemctl restart sshd

References

• regreSSHion: RCE in OpenSSH server
• Qualys Blog Post

---

Read the full report for CVE-2025-67427 on our website for more details including interactive diagrams and full exploit analysis.