CVE-2025-14942

06.01.2026, 18:15

wolfSSHs key exchange state machine can be manipulated to leak the clients password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and its recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there arent any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
wolfSSL	CNA	---	---
CISA-ADP	ADP	---	---

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://github.com/wolfSSL/wolfssh/pull/855