CVE-2025-30095

CVE-2025-30095 affects VyOS versions 1.3 through 1.5, with a fix available in 1.4.2, as well as any Debian-based Linux distribution using Dropbear in combination with live-build. The vulnerability stems from identical Dropbear private host keys being generated across different installations, enabling active man-in-the-middle (MITM) attacks on SSH connections when Dropbear serves as the SSH daemon. In VyOS, Dropbear is not the default system SSH daemon but is enabled by default for the console service. This issue, tied to CWE-321 (use of hard-coded cryptographic keys), carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

A network-based attacker with no privileges can exploit this vulnerability by positioning themselves to intercept SSH traffic to affected systems running Dropbear. The high attack complexity arises from the need for active network manipulation, but successful exploitation allows full MITM control, enabling the attacker to eavesdrop on sessions, inject malicious commands, or impersonate the server, resulting in high confidentiality, integrity, and availability impacts due to the cross-scope effects.

VyOS advisories recommend mitigating by removing default keys with commands such as "rm -f /etc/dropbear/*key*" and "rm -f /etc/dropbear-initramfs/*key*", then generating a new RSA host key using "dropbearkey -t rsa -s 4096 -f /etc/dropbear_rsa_host_key", followed by reloading the service or rebooting. Updating to the latest VyOS 1.4 or 1.5 releases also resolves the issue. Additional details are available in VyOS blog posts and the issue tracker at vyos.dev/T7217. Note that OpenSSH includes safeguards against this behavior, but Dropbear lacks an equivalent in live-build environments.