CVE CyberSecurity Database News

CVE-2025-22869 - Slow Key Exchange DoS Attack Threatens SSH File Transfer Servers

Poster -

Published on: June 2024

Author: Security Insights Exclusive

SSH is everywhere: remote logins, secure file transfers, automated updates. But researchers recently uncovered a new critical vulnerability, assigned CVE-2025-22869, affecting SSH servers which implement file transfer protocols such as SFTP or SCP. This allows attackers to launch a denial-of-service attack by dragging out, or failing to finish, the key exchange process. The result? Server memory use skyrockets, and legitimate users get locked out.

Let’s break down what’s happening, why it’s serious, and how you can stay safe.

What is CVE-2025-22869?

Summary:
SSH servers offering file transfer services are vulnerable if they let clients start a key exchange, but take too long or never finish. During this time, any uploaded data meant for transfer is not sent; instead, it builds up in server memory. Attackers can intentionally abuse this and send large amounts of data (or even just open multiple connections) without completing the handshake, which overwhelms the server and causes an out-of-memory (OOM) or resource exhaustion condition.

In short: An attacker pretends to upload files, but never actually finishes the "hello" process, forcing the server to keep the data in a never-ending limbo.

Start Key Exchange: The client begins the SSH key exchange process, but never completes it.

3. Queue Data: Many SSH servers will still read a portion of the file transfer data into memory, waiting for the handshake to finish so it can begin processing.

Never Transmit: Since the handshake is never finished, the server never transmits the data.

5. Repeat: The attacker repeats this many times, tying up server memory on each “zombie” connection.
6. Exhaust Resources: Eventually, the server runs out of memory or file descriptors, causing crashes or refusals of new connections.

Technical Details

At the core is how some SSH file transfer implementations treat incoming data. When a client begins to send file contents before finishing the handshake, compliant servers buffer this data until the session is fully established. But there's no timeout, no upper limit on waiting, and sometimes, not enough checks.

Here’s a simplified Python snippet using Paramiko (for demonstration only; don’t use for malicious purposes!):

import paramiko, socket, time

# Connect to server
sock = socket.socket()
sock.connect(('target.ssh.server', 22))

# Send incomplete handshake
sock.send(b'SSH-2.-TestClient\r\n')

# Omit rest of handshake, but send a blob of data
sock.send(b'A' * 1024 * 1024)  # 1MB upload

# Do not finish handshake or session
time.sleep(600)  # Keep connection open

*NOTE: The above is for illustration. Never test on systems you don't own.*

Multiply this by a few thousand connections, and most servers buckle.

Exploit Scenarios

- Hosting Providers: Malicious users can hog resources on shared SFTP systems, denying service to others.
- Sensitive Environments: If attackers can reach the internal network, they might crash backup servers or dev pipelines.
- Cloud Deployments: Especially dangerous if the server auto-scales, causing ballooning cloud bills.

Vulnerable products include

- OpenSSH (with SFTP/SCP enabled) prior to upcoming patched versions.

Try to connect using a custom client that never completes the handshake.

2. See if server memory usage increases and never drops, even after minutes/hours.

- Patch ASAP: Watch for updates from major SSH implementations

- OpenSSH release notes
- Dropbear releases
- libssh security advisories

- Resource Limits: Use OS-level resource restrictions

- ulimit settings for open files/processes.
- Systemd/Upstart controls for max connections.
- Monitor Memory Usage: Employ scripts/tools to alert on RAM increases.

Original References

- CVE-2025-22869 spec at MITRE
- OpenSSH's sftp-server.c (source annotation)
- libssh Security Advisories
- Paramiko SFTP issues on GitHub

Conclusion

CVE-2025-22869 is easy for attackers to exploit and can take down critical SSH file transfer infrastructure with just a laptop and a bit of code. Check your server configs, update as soon as patches arrive, set strict timeouts, and never leave resource limits as defaults.

Stay alert—and keep your SSH doors secure!

Disclaimer:
This article is for educational and defensive purposes only. Do not use this information for unauthorized access or attacks. Always test on systems you own or have explicit permission to assess.

Timeline

Published on: 02/26/2025 08:14:24 UTC
Last modified on: 02/26/2025 15:15:25 UTC