CISA Flags Active Exploits in Erlang/OTP SSH and Roundcube Webmail: Critical RCE and XSS Flaws Under Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, citing confirmed evidence of in-the-wild exploitation. These actively targeted flaws—CVE-2025-32433 in Erlang/OTP and CVE-2024-42009 in Roundcube—pose severe risks ranging from unauthenticated remote code execution to email account compromise via spear phishing.

The first vulnerability, CVE-2025-32433, affects the Erlang/OTP SSH daemon, a key component in many telecom, embedded, and high-availability infrastructure systems. This critical flaw received a maximum CVSS score of 10.0 and allows unauthenticated attackers to execute arbitrary code remotely.

The vulnerability stems from the improper handling of pre-authentication protocol messages, enabling attackers to bypass authentication and trigger code execution via malicious SSH requests. Exploit code has already been published on GitHub by ProDefense, and another exploit is circulating anonymously on Pastebin and social media, significantly accelerating the threat landscape.

All devices running affected Erlang/OTP versions are at risk. Administrators are urged to upgrade to versions 25.3.2.10 or 26.2.4 immediately to remediate the issue.

The second flaw, CVE-2024-42009, is a cross-site scripting (XSS) vulnerability impacting Roundcube Webmail through versions 1.5.7 and 1.6.x through 1.6.7. It allows remote attackers to execute scripts by tricking victims into opening a crafted email message, ultimately granting access to their inbox, credentials, and even their contacts.

The vulnerability lies in a desanitization bug in message_body() inside program/actions/mail/show.php. It’s already being abused in the wild.

Last week, CERT Polska has warned about a spear phishing campaign aimed at Polish organizations. This campaign exploits CVE-2024-42009, an XSS vulnerability that could allow attackers to steal victims’ emails and account passwords through specially crafted email messages.

After gaining access, attackers reportedly analyze mailbox contents, download address books, and leverage compromised accounts to distribute further phishing emails, resulting in a self-propagating campaign.

Given the active exploitation status, Federal Civilian Executive Branch (FCEB) agencies have been mandated by CISA to apply the necessary vendor-provided mitigations no later than June 30, 2025.

Related Posts:

• Erlang/OTP CVE-2025-32433 (CVSS 10): Critical SSH Flaw Allows Unauthenticated RCE
• Critical RCE Vulnerability in Erlang/OTP SSH Server Impacts Multiple Cisco Products
• Critical CVE-2025-32433 PoC Released: Erlang/OTP SSH Vulnerability Enables RCE
• Roundcube Webmail Releases Security Updates to Patch Multiple Vulnerabilities
• Critical RCE Flaw Patched in Roundcube Webmail: Update Immediately!