Key Exchange Manipulation in wolfSSH Client Applications from wolfSSL
CVE-2025-14942

9.4CRITICAL

Key Information:

Vendor: Wolfssl
Status: Wolfssh
Vendor: CVE Published:; 6 January 2026

What is CVE-2025-14942?

The wolfSSH library, used in various client applications, has a serious flaw in its key exchange state machine. This vulnerability enables an attacker to manipulate the authentication process, risking the exposure of the client’s password in an unencrypted format. Additionally, malicious actors can trick the client into sending invalid signatures or bypassing user authentication altogether. This affects all client applications utilizing wolfSSH versions 1.4.21 and earlier, prompting users to update their software or apply necessary patches. While no specific attacks have targeted server applications, the same vulnerability exists within wolfSSH server environments, necessitating attention and remediation.

Affected Version(s)

wolfSSH 0 < 1.4.22

References

https://github.com/wolfSSL/wolfssh/pull/855

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 6, 2026
Vulnerability Reserved
Dec 18, 2025

Credit

Aina Toky Rasoamanana

Olivier Levillain

CVE-2025-14942 Data

JSON

Wolfssl

What is CVE-2025-14942?

Affected Version(s)

References

CVSS V4

Timeline

Credit