A critical vulnerability (CVE-2025-32433) has been identified in the Erlang/OTP SSH server implementation, allowing unauthenticated remote code execution. Exploitation of this flaw can lead to complete system compromise. Given the widespread use of Erlang/OTP in telecommunications, IoT, and high-availability systems, immediate action is required.
Impacted Versions
- OTP-27.3.2 and earlier
- OTP-26.2.5.10 and earlier
- OTP-25.3.2.19 and earlier
Vulnerabilities
- CVE Identifier: CVE-2025-32433
- Severity: Critical (CVSS v3.1 Score: 10.0)
- Description: The vulnerability arises from improper handling of SSH protocol messages, allowing attackers to send connection protocol messages prior to authentication. This can lead to arbitrary code execution in the context of the SSH daemon.
- Impact: Exploitation can result in complete system compromise, unauthorized access to sensitive data, installation of malware or ransomware, and potential denial-of-service attacks.
Mitigations
- Update: Apply the following patched versions:
- OTP-27.3.3
- OTP-26.2.5.11
- OTP-25.3.2.20
- Temporary Workaround: If immediate patching isn’t feasible, disable the SSH server or restrict access using firewall rules to prevent potential exploitation.
