A vulnerability (CVSS 7.2) in Tectia Server has been responsibly disclosed to us on April 11th 2025, which in some cases allows an attacker who is able to control both the TCP traffic and an account on the target system to gain man-in-the-middle privileges. The attacker’s capabilities differ depending on what the client is doing, but it is possible for the attacker in worst cases to read and alter user’s session traffic.
The publication date for the CVE is mid-September to allow for a reasonable time period for our customers to upgrade their installations.
There are no mitigations other than upgrading your Tectia Server installation on Windows, Linux, and UNIX without undue delay.
Tectia Client and Tectia z/OS installations are not affected by this.
Versions where this vulnerability is fixed are as follows and were published on 12th of June, 2025:
The versions are available to download from https://cdc.ssh.com
If you have issues with account or login related issues or questions of any sort, please reach out to us in https://care.ssh.com.