CVE-2025-5372
CVE Details
Visit the official vulnerability details page for CVE-2025-5372 to learn more.
Initial Publication
07/31/2025
Last Update
09/17/2025
Third Party Dependency
libssh-4
NIST CVE Summary
A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.
CVE Severity
Our Official Summary
This is a cryptographic key derivation vulnerability in libssh versions built with OpenSSL versions older than 3.0, specifically affecting the ssh_kdf() function. Due to inconsistent interpretation of return values between OpenSSL (0 indicates failure) and libssh (0 indicates success), the function may mistakenly return success status even when key derivation fails, resulting in uninitialized cryptographic key buffers being used in subsequent SSH communication.
The vulnerability affects multiple components including across both Vertex and Palette products. There are no known instances of this vulnerability ever exploited successfully.
The risk of exploitation is considered medium, as the attack complexity is high. The impact if compromised is considered high as it could affect the integrity of inter-component communication.
Upstream patches addressing this issue will be incorporated when available.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 09/17/2025 | Status changed from Open to Ongoing |
| 09/17/2025 | Official summary added |