InfoSecBulletin Cybersecurity for mankind
A critical security flaw has been found in the Erlang/Open Telecom Platform (OTP) SSH implementation, allowing an attacker to run code without authentication under specific conditions. The vulnerability CVE-2025-32433 has a maximum CVSS score of 10.0.
“The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication,” Ruhr University Bochum researchers Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk said.
Hacker claim Leak of Deloitte Source Code & GitHub Credentials
CISA Issued Guidance for SIEM and SOAR Implementation
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora
Australia enacts mandatory ransomware payment reporting
Why Govt Demands Foreign CCTV Firms to Submit Source Code?
CVE-2023-39780
Botnet hacks thousands of ASUS routers
Bangladesh Bank instructed using AI to prevent online gambling
251 Amazon-Hosted IPs Used in Exploit Scan for ColdFusion, Struts, and Elasticsearch
Zero-Trust Policy bypass to Exploit Vulns & Manipulate NHI Secrets
Evaly E-commerce Platform Allegedly Hacked
The issue arises from mishandled SSH protocol messages, allowing attackers to send messages before authentication. This vulnerability could lead to arbitrary code execution within the SSH daemon.
If the daemon process runs as root, it increases the risk by giving attackers full control of the device, allowing unauthorized access to sensitive data or potential denial-of-service (DoS) attacks.
Users running an SSH server with the Erlang/OTP SSH library may be affected by CVE-2025-32433. It’s advised to update to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. As a temporary measure, use firewall rules to block access to vulnerable SSH servers.
In a statement Mayuresh Dani, manager of security research at Qualys, described the vulnerability as extremely critical and that it can allow a threat actor to perform actions such as installing ransomware or siphoning off sensitive data.
“Erlang is frequently found installed on high-availability systems due to its robust and concurrent processing support,” Dani said. “A majority of Cisco and Ericsson devices run Erlang.”
“Any service using Erlang/OTP’s SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation. Upgrading to the fixed Erlang/OTP or vendor-supported versions will remediate the vulnerability. Should organizations need more time to install upgrades, they should restrict SSH port access to authorized users alone.”
