Critical vulnerability discovered in Erlang OTP SSH, posing potential risks for users
In a recent development, security researchers have identified a critical vulnerability (CVE-2025-32433) in the Erlang Open Telecom Platform (OTP) SSH implementation. This vulnerability, which has been assigned a CVSS score of 10, indicating a high level of risk, allows an unauthenticated attacker with network access to execute arbitrary code, potentially leading to serious consequences such as manipulation of sensitive data or launching denial-of-service attacks.
The affected versions of Erlang/OTP, which include OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, should be urgently upgraded to the patched versions to address this issue. As a temporary measure, users can disable the SSH server or restrict access to it via firewall rules to prevent exploitation until the patch can be applied.
This vulnerability is being actively exploited in the wild, prompting its addition to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. Federal agencies have been mandated to remediate this vulnerability by June 30, 2025, and organizations using distributed architectures or legacy messaging systems are strongly urged to prioritize its mitigation immediately.
The potential impact of this vulnerability is far-reaching, as Erlang OTP is not only used in its intended applications but also in other services. For instance, it is used as a debug utility in services like CouchDB and RabbitMQ. Moreover, Erlang OTP is commonly used in IoT devices and telecommunications platforms, increasing the potential number of affected devices.
According to Frenos researchers and other security sources, devices from Cisco and Ericsson could be affected by the vulnerability. This means that a wide range of devices across various OT systems could potentially be impacted. If an SSH daemon is running as root, an attacker could gain full access to a device, posing a significant threat to security.
In light of these findings, it is crucial for users to upgrade to the patched versions of Erlang/OTP and implement temporary measures such as disabling the SSH server or restricting access to it via firewall rules. By taking prompt action, organizations can protect their critical infrastructure from potential exploitation.
| Aspect | Details | |------------------------|---------------------------------------------------------------------------------------------------| | Vulnerability | CVE-2025-32433: Missing authentication in Erlang/OTP SSH server enabling unauthenticated RCE | | Patch Versions | OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20 | | Temporary Mitigation | Disable SSH server or block access via firewall | | Deadline for Federal Agencies | June 30, 2025 | | Potentially Affected Devices | Servers and systems running Erlang/OTP SSH prior to the fixed versions, including telecom and messaging platforms |
- The vulnerability (CVE-2025-32433) in the Erlang Open Telecom Platform (OTP) SSH implementation, which has been actively exploited and assigned a CVSS score of 10, requires urgent attention from users as it allows an unauthenticated attacker with network access to execute arbitrary code, potentially leading to serious consequences such as manipulation of sensitive data or launching denial-of-service attacks.
- Given that this vulnerability is being actively exploited in the wild and could potentially impact a wide range of devices across various OT systems, organizations using distributed architectures or legacy messaging systems are strongly advised to prioritize its mitigation immediately by upgrading to the patched versions of Erlang/OTP and implementing temporary measures such as disabling the SSH server or restricting access to it via firewall rules. By taking prompt action, they can protect their critical infrastructure from potential exploitation.
