CVE-2025-30095
VyOS Dropbear Private Key Exposure
Description
VyOS 1.3 through 1.5 (fixed in 1.4.2) or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Thus, an attacker can conduct active man-in-the-middle attacks against SSH connections if Dropbear is enabled as the SSH daemon. I n VyOS, this is not the default configuration for the system SSH daemon, but is for the console service. To mitigate this, one can run "rm -f /etc/dropbear/*key*" and/or "rm -f /etc/dropbear-initramfs/*key*" and then dropbearkey -t rsa -s 4096 -f /etc/dropbear_rsa_host_key and reload the service or reboot the system before using Dropbear as the SSH daemon (this clears out all keys mistakenly built into the release image) or update to the latest version of VyOS 1.4 or 1.5. Note that this vulnerability is not unique to VyOS and may appear in any Debian-based Linux distribution that uses Dropbear in combination with live-build, which has a safeguard against this behavior in OpenSSH but no equivalent one for Dropbear.
INFO
Published Date :
March 31, 2025, 3:15 p.m.
Last Modified :
April 11, 2025, 2:15 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
6.0
Exploitability Score :
2.2
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-30095.
| URL | Resource |
|---|---|
| https://blog.vyos.io/vyos-project-march-2025-update | |
| https://blog.vyos.io/vyos-stream-1.5-2025-q1 | |
| https://github.com/vyos/ | |
| https://vyos.dev/T7217 | |
| https://vyos.net/get/stream/#1.5-2025-Q1 |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-30095 vulnerability anywhere in the article.
-
Daily CyberSecurity
High-Severity Vulnerabilities in Bruno API Client Expose Users to Potential RCE
A security advisory from the Bruno project has revealed critical vulnerabilities in the Bruno API client, highlighting the risks associated with importing collections from untrusted sources. Bruno is ... Read more
-
Daily CyberSecurity
Chrome 135: 14 Security Fixes, High-Severity CVE-2025-3066 Flaw Patched
Google’s Chrome team has officially rolled out Chrome 135 to the Stable Channel for Windows, macOS, and Linux, bringing a wave of security enhancements, bug fixes, and under-the-hood improvements to b ... Read more
-
Daily CyberSecurity
VyOS and Debian Systems Vulnerable to Man-in-the-Middle Attacks (CVE-2025-30095)
A critical vulnerability tracked as CVE-2025-30095 has been discovered in VyOS, a popular open-source network operating system. The flaw, reported by Morgan Jones of Viasat, stems from private SSH key ... Read more
The following table lists the changes that have been made to the
CVE-2025-30095 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Apr. 11, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-321 -
CVE Modified by [email protected]
Mar. 31, 2025
Action Type Old Value New Value Changed Description VyOS 1.3 through 1.5 or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Thus, an attacker can conduct active man-in-the-middle attacks against SSH connections if Dropbear is enabled as the SSH daemon. I n VyOS, this is not the default configuration for the system SSH daemon, but is for the console service. To mitigate this, one can run "rm -f /etc/dropbear/*key*" and/or "rm -f /etc/dropbear-initramfs/*key*" and then dropbearkey -t rsa -s 4096 -f /etc/dropbear_rsa_host_key and reload the service or reboot the system before using Dropbear as the SSH daemon (this clears out all keys mistakenly built into the release image) or update to the latest version of VyOS 1.4 or 1.5. Note that this vulnerability is not unique to VyOS and may appear in any Debian-based Linux distribution that uses Dropbear in combination with live-build, which has a safeguard against this behavior in OpenSSH but no equivalent one for Dropbear. VyOS 1.3 through 1.5 (fixed in 1.4.2) or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Thus, an attacker can conduct active man-in-the-middle attacks against SSH connections if Dropbear is enabled as the SSH daemon. I n VyOS, this is not the default configuration for the system SSH daemon, but is for the console service. To mitigate this, one can run "rm -f /etc/dropbear/*key*" and/or "rm -f /etc/dropbear-initramfs/*key*" and then dropbearkey -t rsa -s 4096 -f /etc/dropbear_rsa_host_key and reload the service or reboot the system before using Dropbear as the SSH daemon (this clears out all keys mistakenly built into the release image) or update to the latest version of VyOS 1.4 or 1.5. Note that this vulnerability is not unique to VyOS and may appear in any Debian-based Linux distribution that uses Dropbear in combination with live-build, which has a safeguard against this behavior in OpenSSH but no equivalent one for Dropbear. -
New CVE Received by [email protected]
Mar. 31, 2025
Action Type Old Value New Value Added Description VyOS 1.3 through 1.5 or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Thus, an attacker can conduct active man-in-the-middle attacks against SSH connections if Dropbear is enabled as the SSH daemon. I n VyOS, this is not the default configuration for the system SSH daemon, but is for the console service. To mitigate this, one can run "rm -f /etc/dropbear/*key*" and/or "rm -f /etc/dropbear-initramfs/*key*" and then dropbearkey -t rsa -s 4096 -f /etc/dropbear_rsa_host_key and reload the service or reboot the system before using Dropbear as the SSH daemon (this clears out all keys mistakenly built into the release image) or update to the latest version of VyOS 1.4 or 1.5. Note that this vulnerability is not unique to VyOS and may appear in any Debian-based Linux distribution that uses Dropbear in combination with live-build, which has a safeguard against this behavior in OpenSSH but no equivalent one for Dropbear. Added Reference https://blog.vyos.io/vyos-project-march-2025-update Added Reference https://blog.vyos.io/vyos-stream-1.5-2025-q1 Added Reference https://github.com/vyos/ Added Reference https://vyos.dev/T7217 Added Reference https://vyos.net/get/stream/#1.5-2025-Q1
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-30095 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-30095
weaknesses.