CVE-2025-5372 is a medium-severity vulnerability identified in Red Hat Enterprise Linux 10, specifically affecting libssh versions built with OpenSSL versions older than 3.0. The flaw resides in the ssh_kdf() function, which is responsible for key derivation during SSH session establishment. The root cause is an inconsistent interpretation of return values between OpenSSL and libssh: OpenSSL signals failure with a return value of 0, whereas libssh uses 0 to indicate success. This discrepancy can cause ssh_kdf() to incorrectly report success even when key derivation fails. As a result, uninitialized cryptographic key buffers may be used in subsequent SSH communications. This undermines the confidentiality, integrity, and availability of SSH sessions, potentially allowing attackers to intercept, manipulate, or disrupt secure communications. Although the CVSS score is 5.0 (medium), the vulnerability impacts a critical security function—SSH key derivation—and could lead to session compromise if exploited. The vulnerability does not require user interaction but does require low privileges to exploit, and the attack vector is network-based. No known exploits are currently in the wild, and no patches or fixes have been linked yet. The vulnerability affects Red Hat Enterprise Linux 10 installations using libssh linked against OpenSSL versions prior to 3.0, which may be common in some enterprise environments that have not yet upgraded their cryptographic libraries.

For European organizations, this vulnerability poses a risk to secure remote access and management infrastructure that relies on SSH, a ubiquitous protocol for system administration and automated processes. Compromise of SSH sessions could lead to unauthorized access, data leakage, or disruption of critical services. Industries with high reliance on Linux servers, such as finance, telecommunications, government, and critical infrastructure sectors, may face increased risk. The confidentiality impact is low to moderate due to potential exposure of session keys; integrity and availability impacts are also low to moderate as attackers could manipulate or disrupt SSH sessions. Given the medium CVSS score and the requirement for low privileges but no user interaction, the threat is credible but not trivial to exploit. European organizations using Red Hat Enterprise Linux 10 with older OpenSSL versions should consider this vulnerability seriously, especially those with remote administration practices or automated SSH-based workflows.

Organizations should immediately audit their Red Hat Enterprise Linux 10 systems to identify libssh builds linked against OpenSSL versions older than 3.0. Upgrading OpenSSL to version 3.0 or later is critical to resolving the root cause of the inconsistent return value interpretation. If upgrading OpenSSL is not immediately feasible, recompiling or updating libssh to a version that correctly handles OpenSSL return values is recommended. Network-level controls such as restricting SSH access to trusted IP ranges and enforcing multi-factor authentication can reduce exploitation risk. Monitoring SSH session anomalies and logs for unusual failures or unexpected behavior may help detect exploitation attempts. Organizations should also stay alert for official patches or advisories from Red Hat and apply them promptly once available. Finally, consider implementing compensating controls such as SSH key rotation and enhanced session encryption policies to mitigate potential exposure.