{"vulnerability": "CVE-2025-46807", "sightings": [{"uuid": "e6581a43-2105-4bf3-a553-c09fd098eb7e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46807", "type": "seen", "source": "https://t.me/CyberBulletin/3590", "content": "\ud83d\udea8 Critical Vulnerabilities in sslh Expose Systems to Remote DoS Attacks\n\nTwo newly discovered critical vulnerabilities in sslh, a widely-used protocol multiplexer, are putting systems at risk of remote denial-of-service (DoS) attacks. Tracked as CVE-2025-46807 and CVE-2025-46806, the flaws affect all sslh versions prior to v2.2.4.\n\n\ud83d\udd0d What is sslh?\n\nsslh is a lightweight utility that allows multiple protocols like HTTPS, SSH, OpenVPN, and others to share the same port\u2014commonly used to bypass firewalls in enterprise environments.\n\n\n---\n\n\ud83d\udd13 CVE-2025-46807 \u2014 File Descriptor Exhaustion (High Severity)\n\nType: Remote DoS via UDP\nCVSS Score: 7.5\nA flaw in the way sslh manages UDP connections can lead to file descriptor exhaustion. Since timeout checks only occur during active network events, an attacker can flood the service with single-byte UDP packets, hitting the default limit of 1024 open descriptors.\n\n\u27a1\ufe0f Once this limit is reached, sslh crashes due to a NULL pointer dereference (new_cnx), making it trivial for an attacker to bring down the service.\n\nFix: Patched in commit ff8206f7c, which prevents the segmentation fault. However, open UDP sockets may still persist longer than ideal.\n\n\n---\n\n\u26a0\ufe0f CVE-2025-46806 \u2014 Misaligned Memory Access in OpenVPN Probe\n\nType: Remote DoS on ARM and similar architectures\nCVSS Score: 7.5\nThis vulnerability targets the OpenVPN detection logic in sslh. The function is_openvpn_protocol() improperly dereferences memory using a misaligned pointer, causing a SIGBUS crash on architectures like ARM.\n\nAttackers only need to send 29+ crafted UDP packets (e.g., a sequence of 0x08 bytes) to reliably trigger the crash.\n\nFix: Commit 204305a88fb3 replaces the unsafe pointer operation with a memcpy() into a local buffer\u2014preserving alignment and preventing the crash.\n\n\n---\n\n\ud83d\udee1\ufe0f Who's at Risk?\n\nAny system running sslh < v2.2.4\u2014especially with UDP protocols or OpenVPN probing enabled\u2014can be affected. The sslh-fork version handles resource exhaustion better, but it's not immune to aggressive attack scenarios.\n\n\n---\n\nMitigation & Recommendations\n\nUpgrade immediately to sslh v2.2.4, which includes fixes for both vulnerabilities.\n\nHarden your environment by setting OS-level resource limits (ulimits) to reduce attack impact.\n\nConsider reducing UDP-based probes or limiting simultaneous connections where possible.\n\n\nAccording to SUSE\u2019s security analysts, sslh remains a reliable tool with a small attack surface, and with these fixes in place, is considered safe for production deployments.\n\n\n---\n\n\ud83e\udde0 Final Take \u2013 Cyber Bulletin Insight\n\nThese sslh vulnerabilities highlight the importance of keeping even lightweight, often-overlooked services fully patched and monitored. As attackers increasingly target multiplexers and edge services to maximize disruption, staying ahead with proactive upgrades and resource hardening is more vital than ever.\n\n\n\ud83d\udce2 Stay informed. Stay secure.\nSubscribe to Cyber Bulletin for real-time updates on critical vulnerabilities and threat intelligence.", "creation_timestamp": "2025-07-06T21:55:44.000000Z"}, {"uuid": "8ed1729e-f27a-4547-9df6-611681690315", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46807", "type": "published-proof-of-concept", "source": "Telegram/rXYL1lXWkEU6X4s-B12vmJDiUkp3J5RpkWN8Rf8Wlc0XZWI", "content": "", "creation_timestamp": "2025-06-02T12:01:30.000000Z"}, {"uuid": "49ddc4e4-c95c-44f9-af6c-f6ebd03fe130", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46807", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/114613841197886220", "content": "", "creation_timestamp": "2025-06-02T12:47:07.058122Z"}, {"uuid": "23245de0-5750-4423-adc1-65ce397474ea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46807", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3lrioz6rmmk2j", "content": "", "creation_timestamp": "2025-06-13T14:55:56.902718Z"}, {"uuid": "04e7cd82-d0d4-4ba2-8c63-ab92d1b19da4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46807", "type": "seen", "source": "https://seclists.org/oss-sec/2025/q2/248", "content": "", "creation_timestamp": "2025-06-13T12:32:14.000000Z"}, {"uuid": "b530938c-92f4-4966-a15b-e9971cac7c52", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46807", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lrsdxdbs52s2", "content": "", "creation_timestamp": "2025-06-17T11:04:51.330919Z"}, {"uuid": "6a80d617-03d4-4f84-bbc8-a68b823774b7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-46807", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqmutvq4lix2", "content": "", "creation_timestamp": "2025-06-02T13:28:49.765092Z"}]}