Threat Radar - kevwells.com

TL;DR

Patch now: Linux kernel (CVE-2025-38236), OpenSSH client bugs (CVE-2025-26465/26466), and current VMware advisories; N-able N-central flaws added to CISA KEV.
Watchlist: further kernel backports landing in distro trackers; VMware rollups; Microsoft August patches with multiple critical items.
Action for Linux/Cloud ops: roll kernel updates with reboots, update OpenSSH clients fleet-wide (laptops, jump hosts, CI), and keep vCenter/ESXi on a predictable patch cadence.

1) What’s NEW (operator view)

Linux kernel – CVE-2025-38236 (AF_UNIX out-of-band/MSG_OOB path): Privilege-escalation route from renderer/container contexts; requires reboot after patch.
OpenSSH clients – CVE-2025-26465 / CVE-2025-26466: Server impersonation when VerifyHostKeyDNS is enabled (off by default) and a client-side DoS. Fixed in OpenSSH 9.9p2.
VMware: Multiple 2025 VMSAs affect ESXi, vCenter, Workstation/Fusion/Tools. Treat as a monthly stream, not one-offs.
Managed tooling – N-able N-central: Two vulnerabilities recently added to the CISA Known Exploited Vulnerabilities (KEV) catalogue.
Microsoft Patch Tuesday (context for mixed estates): 100+ fixes with critical RCEs; coordinate with EUC/Desktop to keep file-handling pipelines safe.

2) Patch now – concrete actions

(A) Linux kernel: CVE-2025-38236

Why now: sandbox/container escape route to kernel privileges. Reboot required after installing updated kernels.

Check & patch (examples):

# Check running kernel
uname -r

# Ubuntu/Debian family
sudo apt update
apt list --upgradable 2>/dev/null | egrep 'linux-image|linux-generic'
sudo apt full-upgrade -y && sudo reboot

# RHEL/Rocky/Alma
sudo dnf check-update "kernel*"
sudo dnf update -y kernel* && sudo reboot

After reboot, confirm the running kernel version matches the newly installed package with uname -r. Use your distro’s CVE tracker to confirm the fixed build numbers.

(B) OpenSSH clients: CVE-2025-26465 / CVE-2025-26466

Risk: on-path server impersonation if VerifyHostKeyDNS is enabled; separate client DoS. Fix: upgrade to OpenSSH 9.9p2 (or distro backport) on laptops, jump-hosts, CI/CD runners, and images.

Checks:

ssh -V                  # OpenSSH_X.YpZ
# Debian/Ubuntu:
dpkg -l | grep openssh-client
# RHEL family:
rpm -qa | grep openssh

Temporary hardening: ensure VerifyHostKeyDNS no in client configs unless you actively pin host keys via DNSSEC with strict policy.

(C) VMware (vCenter / ESXi / Workstation / Fusion / Tools)

Action: review the latest 2025 VMSAs and map to your versions; patch vCenter first, then ESXi clusters via rolling maintenance. Baseline build numbers post-patch and alert on drift.

(D) N-able N-central (if in scope)

Action: apply the vendor hotfix and validate versions; KEV inclusion implies observed exploitation. If internet-exposed, treat as an incident: review admin logins, rotate secrets/tokens, restrict management interfaces by IP.

3) Watchlist (prepare, don’t panic)

Kernel: expect additional backports for net/FS subsystems across distros; plan for a second kernel roll this quarter.
VMware cadence: Broadcom advisories are frequent; schedule predictable monthly windows.
Mixed estates: August Microsoft patches include multiple critical items-ensure file scanners, gateways, and converters are updated even if servers are Linux.

4) Detections & safeguards

OpenSSH client config audit: forbid VerifyHostKeyDNS yes unless DNSSEC host-key pinning is in place; enforce known_hosts via config management.
Kernel exploitation signals: on servers there should be no browser-spawned helpers; alert on anomalous process trees and sudden privilege transitions; ensure EDR/auditd coverage on container nodes.
VMware: after patch, export build numbers to monitoring (e.g., CheckMK) and alert on regressions.
N-central: review access logs, rotate API keys/integration secrets, and tighten ingress.

5) “So what” for Linux / Cloud operations

Reboots are non-negotiable: kernel fixes require windows-schedule two slots 48–72 hours apart for late backports.
Clients matter: these OpenSSH issues are client-side; patch laptops, jump-hosts, and CI images promptly.
Treat VMware like Patch Tuesday: predictable cadence beats firefighting.

6) Operator checklists

Kernel roll (all estates)

Inventory current kernel versions (uname -r) via config management.
Canary, then production; reboot and verify running versions.
Update golden images/AMIs; rebuild node pools.
Record build numbers in CMDB and monitoring.

OpenSSH client

Enforce OpenSSH 9.9p2 (or distro backport).
Confirm VerifyHostKeyDNS no unless DNSSEC key pinning is proven.
Rebuild CI images and developer containers.

VMware

Read the latest VMSA(s); map CVEs to your product versions.
Patch vCenter first, then ESXi (rolling); validate vMotion/HA/DRS and backup integrations.

N-able N-central

Apply vendor hotfix.
Check external exposure; rotate creds/secrets; review logs for privilege escalation patterns.

7) References

Linux kernel CVE-2025-38236 – Project Zero write-up; NVD entry.
OpenSSH 9.9p2 release notes; NVD / Red Hat CVE-2025-26465.
VMware 2025 advisories (VMSA-2025-0004/0010/0013) on Broadcom support portal.
CISA KEV – N-able N-central items added Aug 13, 2025.
SANS ISC – Microsoft August 2025 Patch Tuesday overview.

Security gaps in Linux and cloud systems risk downtime, data compromise, lost business — and compliance failures.

With 20+ years’ experience and active UK Security Check (SC) clearance, I harden Linux and cloud platforms for government, corporate, and academic sectors — ensuring secure, compliant, and resilient infrastructure.

Contact for Contract Assignments