CVE-2025-14821 Overview
A security flaw has been discovered in libssh, the popular SSH library. This vulnerability exists due to an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory. Since this directory can be created and modified by unprivileged local users, attackers can exploit this behavior to perform local man-in-the-middle attacks, downgrade SSH connection security, and manipulate trusted host information.
Critical Impact
This vulnerability enables unprivileged local users to compromise SSH communications by manipulating configuration files, potentially leading to credential theft, session hijacking, and complete compromise of SSH connection security.
Affected Products
- libssh versions prior to 0.12.0
- libssh versions prior to 0.11.4
- Applications using libssh on Windows systems
Discovery Timeline
- April 7, 2026 - CVE-2025-14821 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-14821
Vulnerability Analysis
This vulnerability is classified under CWE-427 (Uncontrolled Search Path Element), which describes scenarios where an application searches for critical resources using an externally-supplied search path that can point to resources outside the intended control sphere.
On Windows systems, libssh is configured by default to load SSH configuration files from the C:\etc directory. Unlike Unix-based systems where /etc is a privileged system directory, the C:\etc path does not exist by default on Windows and can be created by any unprivileged user. This architectural oversight creates a dangerous attack surface where local users can inject malicious SSH configurations.
The vulnerability enables three primary attack scenarios: local man-in-the-middle attacks where an attacker intercepts and potentially modifies SSH traffic, security downgrades that force the use of weaker cryptographic algorithms or protocols, and manipulation of the known_hosts file to facilitate connection hijacking.
Root Cause
The root cause of this vulnerability stems from the assumption that the C:\etc directory on Windows systems would have the same access control restrictions as the /etc directory on Unix-like operating systems. This cross-platform configuration inconsistency means that libssh trusts configuration files from a location that any local user can control, violating the principle of least privilege and enabling configuration injection attacks.
Attack Vector
The attack requires local access to the target Windows system. An attacker with unprivileged local access can create the C:\etc directory structure and place malicious SSH configuration files that will be automatically loaded by libssh. These malicious configurations can specify attacker-controlled proxy commands, weak cipher preferences, or modified host key verification settings.
When an application using libssh initiates an SSH connection, it loads the attacker-controlled configuration, enabling the attacker to intercept credentials, downgrade encryption, or redirect connections to malicious servers.
Detection Methods for CVE-2025-14821
Indicators of Compromise
- Presence of the C:\etc directory on Windows systems where it was not intentionally created
- SSH configuration files in C:\etc\ssh\ created by non-administrative users
- Modified or unexpected known_hosts entries pointing to unfamiliar hosts
- Unusual SSH connection behavior or unexpected cipher suite negotiations
Detection Strategies
- Monitor for directory creation events at C:\etc using Windows audit policies or endpoint detection tools
- Implement file integrity monitoring for any existing C:\etc\ssh\ configuration files
- Review SSH connection logs for unexpected cipher downgrades or connection patterns
- Use SentinelOne's behavioral detection to identify suspicious file system modifications in sensitive paths
Monitoring Recommendations
- Enable Windows Security event logging for file system object creation and modification
- Configure alerts for any process accessing C:\etc\ssh\ configuration files
- Monitor for applications loading libssh that exhibit unexpected network connection behaviors
- Implement network traffic analysis to detect SSH protocol anomalies indicative of downgrade attacks
How to Mitigate CVE-2025-14821
Immediate Actions Required
- Update libssh to version 0.12.0 or 0.11.4 immediately
- Audit Windows systems for the presence of the C:\etc directory and remove if unauthorized
- Review and validate any existing SSH configuration files for unauthorized modifications
- Implement access controls on the C:\etc directory if it must exist for legitimate purposes
Patch Information
Security patches addressing this vulnerability are available from the libssh project. According to the LibSSH Security Release Announcement, versions 0.12.0 and 0.11.4 contain fixes for this vulnerability. Additional details can be found in the Red Hat CVE-2025-14821 Advisory and Red Hat Bugzilla Report #2423148.
Workarounds
- Create the C:\etc directory as an administrator with restrictive ACLs preventing unprivileged user modifications
- Configure libssh applications to use explicit configuration file paths that are not user-writable
- Deploy application-level controls that verify configuration file ownership and permissions before loading
- Use Windows Group Policy to restrict directory creation in the root of the system drive
# Windows PowerShell - Secure the C:\etc directory if it must exist
# Run as Administrator
New-Item -ItemType Directory -Path "C:\etc" -Force
icacls "C:\etc" /inheritance:r
icacls "C:\etc" /grant:r "SYSTEM:(OI)(CI)F"
icacls "C:\etc" /grant:r "Administrators:(OI)(CI)F"
icacls "C:\etc" /deny "Users:(OI)(CI)(WD,AD,WA)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
