InfoSecBulletin Cybersecurity for mankind
A critical security flaw has been found in the Erlang/Open Telecom Platform (OTP) SSH implementation, allowing an attacker to run code without authentication under specific conditions. The vulnerability CVE-2025-32433 has a maximum CVSS score of 10.0.
“The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication,” Ruhr University Bochum researchers Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk said.
Intel PC, laptop and server processors affected for 6 years: Report
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
Microsoft Patch Tuesday May 2025: 72 flaws, 5 Actively Exploited Zero-Day
OTP glitch disrupted NID services across the country
Google to pay Texas $1.4 billion for location tracking practices
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
The issue arises from mishandled SSH protocol messages, allowing attackers to send messages before authentication. This vulnerability could lead to arbitrary code execution within the SSH daemon.
If the daemon process runs as root, it increases the risk by giving attackers full control of the device, allowing unauthorized access to sensitive data or potential denial-of-service (DoS) attacks.
Users running an SSH server with the Erlang/OTP SSH library may be affected by CVE-2025-32433. It’s advised to update to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. As a temporary measure, use firewall rules to block access to vulnerable SSH servers.
In a statement Mayuresh Dani, manager of security research at Qualys, described the vulnerability as extremely critical and that it can allow a threat actor to perform actions such as installing ransomware or siphoning off sensitive data.
“Erlang is frequently found installed on high-availability systems due to its robust and concurrent processing support,” Dani said. “A majority of Cisco and Ericsson devices run Erlang.”
“Any service using Erlang/OTP’s SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation. Upgrading to the fixed Erlang/OTP or vendor-supported versions will remediate the vulnerability. Should organizations need more time to install upgrades, they should restrict SSH port access to authorized users alone.”
