CVE-2025-32728 - OpenSSH DisableForwarding Directive Issue and Exploit Details

In OpenSSH before version 10., a security vulnerability exists under CVE-2025-32728, which allows X11 and agent forwarding to occur despite the DisableForwarding directive intending to prevent such actions. This vulnerability enables unauthorized information disclosure and potential unauthorized access. In this post, we will discuss the details of this vulnerability, the exploitation process, and the available fixes for different environments.

Vulnerability Overview

The security vulnerability, known as CVE-2025-32728, affects the sshd (SSH daemon) component in OpenSSH, an open-source implementation of the SSH protocol. This vulnerability arises because the DisableForwarding directive in the sshd configuration file (/etc/sshd_config) does not work as expected according to its documentation. As a result, X11 and agent forwarding are still allowed even when the DisableForwarding directive is set to "yes."

Exploit Details

In order to exploit this vulnerability, first, make sure that the target system has an OpenSSH version earlier than 10.. To confirm this, you can run the following command:

$ ssh -V

If the version is less than 10. and the target system has the DisableForwarding directive set to "yes" in its /etc/sshd_config file, the exploit can be done using the following steps:

Connect to the target system via SSH

$ ssh user@target

2. Run the ssh-add command to enable agent forwarding, even though the DisableForwarding directive is set to "yes":

$ ssh-add

Forward the X11 display

$ ssh -X user@target

By following these steps, you will gain access to the X11 display and agent forwarding even though the DisableForwarding directive attempts to prevent such actions.

Mitigation and Fixes

To fix this vulnerability, it is necessary to upgrade OpenSSH to version 10. or higher. If you cannot upgrade immediately, follow these steps to mitigate the issue:

Edit the /etc/sshd_config file

$ sudo nano /etc/sshd_config

Set the following directives explicitly to "no"

AllowAgentForwarding no
AllowTcpForwarding no
AllowStreamLocalForwarding no
X11Forwarding no

Restart the sshd service

$ sudo systemctl restart ssh.service

By applying these changes, you will effectively disable forwarding, thus mitigating the vulnerability.

Conclusion

CVE-2025-32728 is a critical security vulnerability in OpenSSH that allows unauthorized access to X11 displays and agent forwarding, even when the DisableForwarding directive is set to "yes." We have discussed the exploit details and provided steps to mitigate the issue temporarily. To resolve the vulnerability completely, updating OpenSSH to version 10. or higher is recommended.

Original References

1. OpenSSH Release Notes
2. CVE-2025-32728 Official Advisory
3. OpenSSH Configuration Options

Timeline

Published on: 04/10/2025 02:15:30 UTC
Last modified on: 04/11/2025 15:40:10 UTC