CVE-2025-5372 is a medium-severity vulnerability identified in Red Hat Enterprise Linux 10, specifically affecting libssh versions compiled with OpenSSL versions older than 3.0. The flaw resides in the ssh_kdf() function, which is responsible for key derivation during SSH session establishment. The root cause is a mismatch in the interpretation of return values between OpenSSL and libssh: OpenSSL returns 0 to indicate failure, whereas libssh treats 0 as success. This inconsistency can cause ssh_kdf() to incorrectly report successful key derivation even when it has failed. Consequently, uninitialized cryptographic key buffers may be used in subsequent SSH communications. This undermines the confidentiality, integrity, and availability of SSH sessions, potentially allowing attackers to intercept or manipulate data or cause session failures. The vulnerability requires network access (AV:N), has a high attack complexity (AC:H), requires low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is low to medium. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The issue stems from a subtle but critical error in error handling between cryptographic libraries, emphasizing the importance of consistent API usage in security-sensitive code.

For European organizations, this vulnerability poses a risk primarily to systems running Red Hat Enterprise Linux 10 with affected libssh and OpenSSL versions. SSH is widely used for secure remote administration and automated processes; compromised SSH sessions could lead to unauthorized data access, session hijacking, or disruption of critical services. Confidentiality breaches could expose sensitive corporate or personal data, while integrity compromises might allow attackers to inject malicious commands or alter data in transit. Availability impacts could result from session failures or denial of service. Sectors such as finance, government, healthcare, and critical infrastructure, which rely heavily on secure remote access, are particularly at risk. Given the medium severity and the requirement for low privileges but high attack complexity, exploitation is less trivial but still feasible by skilled attackers. The absence of known exploits suggests a window for proactive mitigation. Failure to address this vulnerability could undermine trust in secure communications and regulatory compliance with data protection laws such as GDPR.

European organizations should prioritize updating libssh and OpenSSL to versions where this inconsistency is resolved, ideally using OpenSSL 3.0 or later. Until patches are available, organizations should audit their SSH configurations to identify and isolate systems running vulnerable versions. Employ network segmentation and strict access controls to limit exposure of affected hosts. Monitoring SSH session logs for anomalies or failures may help detect exploitation attempts. Consider deploying host-based intrusion detection systems (HIDS) to alert on suspicious SSH activity. Where possible, enforce multi-factor authentication (MFA) to reduce risk from compromised sessions. Additionally, organizations should engage with Red Hat support channels for official patches or workarounds and test updates in controlled environments before deployment. Regular vulnerability scanning and penetration testing focused on SSH services can help identify residual risks. Finally, maintain incident response readiness to quickly address any exploitation attempts.