PSIRTPre-authentication Denial of Service attack in OpenSSH - CVE-2025-26466
Summary
CVE-2025-26466
A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.
| Version | Affected | Solution |
|---|---|---|
| FortiADC 7.8 | Not affected | Not Applicable |
| FortiADC 7.6 | 7.6.1 | Upgrade to 7.6.2 or above |
| FortiADC 7.4 | Not affected | Not Applicable |
| FortiADC 7.2 | Not affected | Not Applicable |
| FortiADC 7.1 | Not affected | Not Applicable |
| FortiADC 7.0 | Not affected | Not Applicable |
| FortiADC 6.2 | Not affected | Not Applicable |
| FortiADC 6.1 | Not affected | Not Applicable |
| FortiADCManager 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiADCManager 7.4 | Not affected | Not Applicable |
| FortiADCManager 7.2 | Not affected | Not Applicable |
| FortiADCManager 7.1 | Not affected | Not Applicable |
| FortiADCManager 7.0 | Not affected | Not Applicable |
| FortiADCManager 6.2 | Not affected | Not Applicable |
| FortiADCManager 6.1 | Not affected | Not Applicable |
| FortiADCManager 6.0 | Not affected | Not Applicable |
| FortiAnalyzer 7.6 | 7.6.0 through 7.6.2 | Upgrade to 7.6.3 or above |
| FortiAnalyzer 7.4 | 7.4.3 through 7.4.6 | Upgrade to 7.4.7 or above |
| FortiAnalyzer 7.2 | 7.2.5 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiAnalyzer 7.0 | 7.0.12 through 7.0.14 | Migrate to a fixed release |
| FortiAnalyzer 6.4 | 6.4.14 through 6.4.15 | Migrate to a fixed release |
| FortiAnalyzer-BigData 7.6 | Not affected | Not Applicable |
| FortiAnalyzer-BigData 7.4 | 7.4.2 through 7.4.3 | Upgrade to 7.4.4 or above |
| FortiAnalyzer-BigData 7.2 | 7.2.8 through 7.2.9 | Upgrade to 7.2.10 or above |
| FortiDDoS-F 7.0 | 7.0.1 through 7.0.4 | Upgrade to 7.0.5 or above |
| FortiDDoS-F 6.6 | Not affected | Not Applicable |
| FortiDDoS-F 6.5 | Not affected | Not Applicable |
| FortiDDoS-F 6.4 | Not affected | Not Applicable |
| FortiDDoS-F 6.3 | Not affected | Not Applicable |
| FortiDDoS-F 6.2 | Not affected | Not Applicable |
| FortiDDoS-F 6.1 | Not affected | Not Applicable |
| FortiExtender 7.6 | 7.6.0 through 7.6.2 | Upgrade to 7.6.3 or above |
| FortiExtender 7.4 | 7.4.4 through 7.4.7 | Upgrade to 7.4.8 or above |
| FortiExtender 7.2 | 7.2.5 | Migrate to a fixed release |
| FortiExtender 7.0 | 7.0.5 | Migrate to a fixed release |
| FortiManager 7.6 | 7.6.0 through 7.6.2 | Upgrade to 7.6.3 or above |
| FortiManager 7.4 | 7.4.3 through 7.4.6 | Upgrade to 7.4.7 or above |
| FortiManager 7.2 | 7.2.5 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiManager 7.0 | 7.0.12 through 7.0.14 | Migrate to a fixed release |
| FortiManager 6.4 | 6.4.14 through 6.4.15 | Migrate to a fixed release |
| FortiNDR 7.6 | 7.6.0 through 7.6.1 | Upgrade to 7.6.2 or above |
| FortiNDR 7.4 | 7.4.3 through 7.4.8 | Upgrade to 7.4.9 or above |
| FortiNDR 7.2 | 7.2.2 and above | Migrate to a fixed release |
| FortiNDR 7.1 | Not affected | Not Applicable |
| FortiNDR 7.0 | 7.0.6 and above | Migrate to a fixed release |
| FortiNDR 1.5 | Not affected | Not Applicable |
| FortiNDR 1.4 | Not affected | Not Applicable |
| FortiSandbox 5.0 | 5.0.0 through 5.0.1 | Upgrade to 5.0.2 or above |
| FortiSandbox 4.4 | 4.4.4 through 4.4.7 | Upgrade to 4.4.8 or above |
| FortiSandbox 4.2 | 4.2.7 through 4.2.8 | Migrate to a fixed release |
| FortiSandbox 4.0 | Not affected | Not Applicable |
| FortiSwitch 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiSwitch 7.4 | 7.4.4 through 7.4.7 | Upgrade to 7.4.8 or above |
| FortiSwitch 7.2 | 7.2.8 through 7.2.10 | Migrate to a fixed release |
| FortiSwitch 7.0 | Not affected | Not Applicable |
| FortiVoice 7.2 | 7.2.0 through 7.2.1 | Upgrade to 7.2.2 or above |
| FortiVoice 7.0 | 7.0.2 through 7.0.7 | Upgrade to 7.0.8 or above |
| FortiVoice 6.4 | 6.4.9 through 6.4.11 | Upgrade to 6.4.12 or above |
| FortiWeb 8.0 | Not affected | Not Applicable |
| FortiWeb 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiWeb 7.4 | 7.4.3 and above | Migrate to a fixed release |
| FortiWeb 7.2 | 7.2.8 and above | Migrate to a fixed release |
| FortiWeb 7.0 | Not affected | Not Applicable |
Products under investigation:
FortiAIOps
FortiRecorder
FortiMail
FortiTester
Products confirmed NOT impacted:
FortiOS
FortiProxy
FortiPAM
FortiAuthenticator
FortiPortal
FortiSwitchManager
FortiWebManager
FortiDeceptor
FortiNAC
FortiNAC-F
FortiSIEM
FortiSOAR
FortiWLC
FortiDDoS
FortiAP
FortiAP-U
FortiEDR
FortiGuest
Timeline
2025-03-11: Initial publication2025-05-13: Updated affected products and solutions
2025-07-30: Updated affected products and solutions
2025-11-03: Updated affected products and solutions
2025-11-24: Updated affected products and solutions