CVE-2025-5372 is a medium-severity vulnerability affecting Red Hat Enterprise Linux 10 systems that use libssh versions built with OpenSSL versions older than 3.0. The flaw resides in the ssh_kdf() function, which is responsible for key derivation during SSH session establishment. The root cause is a mismatch in interpreting return values between OpenSSL and libssh: OpenSSL returns 0 to indicate failure, whereas libssh treats 0 as success. This inconsistency can cause ssh_kdf() to incorrectly report a successful key derivation even when it has failed. As a result, uninitialized cryptographic key buffers may be used in subsequent SSH communications. This undermines the confidentiality, integrity, and availability of SSH sessions, potentially allowing attackers to intercept or manipulate data or cause session disruptions. The vulnerability requires network access (AV:N), has a high attack complexity (AC:H), requires low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is low (C:L/I:L/A:L), leading to an overall CVSS score of 5.0 (medium severity). No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability specifically affects Red Hat Enterprise Linux 10 installations using the affected libssh and OpenSSL versions, which are common in enterprise environments relying on SSH for secure remote access and management.

For European organizations, this vulnerability poses a risk to secure remote administration and automated processes relying on SSH. Compromise of SSH session confidentiality could lead to exposure of sensitive credentials or data, while integrity issues might allow attackers to inject malicious commands or alter data in transit. Availability impacts could disrupt critical services dependent on SSH connectivity. Given the widespread use of Red Hat Enterprise Linux in European government, financial, telecommunications, and industrial sectors, exploitation could affect critical infrastructure and sensitive operations. The medium severity and requirement for low privileges mean that insider threats or attackers with limited access could potentially exploit this flaw. Although no exploits are known yet, the vulnerability could be leveraged in targeted attacks against organizations with outdated OpenSSL versions, especially where patching cycles are slow or where legacy systems remain in use.

European organizations should first identify all Red Hat Enterprise Linux 10 systems using libssh built with OpenSSL versions older than 3.0. Immediate mitigation involves upgrading OpenSSL to version 3.0 or later, where the return value semantics are consistent with libssh. If upgrading OpenSSL is not immediately feasible, organizations should consider recompiling libssh against a patched or updated OpenSSL library that aligns return codes correctly. Additionally, monitoring SSH session logs for anomalies or failures in key derivation could help detect exploitation attempts. Network segmentation and limiting SSH access to trusted hosts can reduce exposure. Implementing strict privilege management to minimize users with SSH access and employing multi-factor authentication can further reduce risk. Finally, organizations should stay alert for official patches from Red Hat and apply them promptly once available.