CVE-2025-32728: 
OpenSSH vulnerability analysis and mitigation

CVE-2025-32728 affects OpenSSH versions before 10.0, specifically impacting the sshd component. The vulnerability was discovered in April 2025 and relates to the DisableForwarding directive not properly adhering to its documented functionality for disabling X11 and agent forwarding (OpenSSH Release).

The vulnerability stems from a logic error in the DisableForwarding option implementation where the directive failed to properly disable X11 forwarding and agent forwarding as documented. The issue has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N (NVD).

The impact of this vulnerability is limited as X11 forwarding is disabled by default in the server configuration, and agent forwarding is off by default in the client. However, in cases where these features are enabled, the DisableForwarding directive would fail to restrict them as intended, potentially allowing unauthorized forwarding capabilities (OpenSSH Release).

The vulnerability has been fixed in OpenSSH 10.0. The fix involves correcting the logic in the DisableForwarding option implementation to properly enforce X11 and agent forwarding restrictions. Users are advised to upgrade to OpenSSH 10.0 or later to address this issue (OpenSSH Release, OpenBSD Patch).

The vulnerability was initially reported by Tim Rice and has been acknowledged by the OpenSSH development team. The fix was incorporated into the OpenSSH 10.0 release, which includes several other security improvements and feature enhancements (OpenSSH Release).