Critical Erlang/OTP Flaw (CVE-2025-32433) Under Active Exploitation, Allowing Unauthenticated RCE on OT Networks
Ddos 
Security researchers at Unit 42 have issued an urgent warning regarding CVE-2025-32433, a CVSS 10.0-rated vulnerability in the Secure Shell (SSH) daemon used by certain versions of the Erlang/OTP framework. This flaw allows unauthenticated remote code execution (RCE) and is already being actively exploited — with a disproportionate impact on operational technology (OT) networks worldwide.
Erlang/OTP is a high-concurrency programming environment trusted for decades in telecommunications, financial systems, and industrial control systems. According to the report:
“CVE-2025-32433 enables unauthenticated clients to execute commands by sending SSH connection protocol messages… to open SSH ports, which should only be processed after successful authentication.”
Vulnerable versions include:
- OTP versions prior to 27.3.3,
- OTP versions prior to 26.2.5.11,
- OTP versions prior to 25.3.2.20.
Unit 42 warns that OT and 5G administrators often use Erlang/OTP’s native SSH to remotely manage systems, creating a dangerous attack surface. Cortex Xpanse scans revealed 275 distinct hosts and 326 vulnerable Erlang/OTP services exposed online, including TCP port 2222, which is also linked to older industrial automation components.
The researchers note:
“This widespread exposure on industrial-specific ports indicates a significant global attack surface across OT networks.”
From May 1–9, 2025, 70% of detected exploitation attempts came from firewalls protecting OT networks. Sectors hit hardest include:
- Healthcare
- Agriculture
- Media & Entertainment
- High Technology
- Education (72.7% of all triggers, 88.4% within OT)
Countries with the most OT-targeted activity:
- Japan – 99.74% of triggers within OT
- U.S. – 1,916 OT triggers
- The Netherlands, Ireland, Brazil, Ecuador – 100% OT-targeted triggers
- France – 66.67% OT-targeted triggers
Unit 42 observed multiple malicious payloads:
- Reverse shells bound to TCP connections for interactive remote access
- Bash-based reverse shells redirecting traffic to known botnet control servers
- DNS-based callbacks to randomized subdomains (e.g., dns.outbound.watchtowr[.]com) for stealthy Out-of-Band Application Security Testing (OAST)
The researchers caution:
“These payloads are designed not to return results directly, but to validate execution via external DNS resolutions that the attacker monitors.”
The exploitation patterns reveal IT/OT convergence risks, where a general-purpose IT vulnerability bridges into industrial control system environments.
“Modern OT threats do not follow legacy assumptions about where OT resides or how it is attacked,” Unit 42 concludes.
Immediate action is critical:
- Upgrade to patched versions: OTP 27.3.3, 26.2.5.11, or 25.3.2.20
- Apply latest IPS/IDS signatures
- Restrict SSH access to trusted sources
- Monitor for signs of compromise, especially in high-connectivity OT environments
For systems that cannot be patched immediately, NIST recommends disabling SSH or firewalling it from untrusted networks.
Related Posts:
- Critical RCE Vulnerability in Erlang/OTP SSH Server Impacts Multiple Cisco Products
- Erlang/OTP CVE-2025-32433 (CVSS 10): Critical SSH Flaw Allows Unauthenticated RCE
- CISA Flags Active Exploits in Erlang/OTP SSH and Roundcube Webmail: Critical RCE and XSS Flaws Under Attack
- Critical CVE-2025-32433 PoC Released: Erlang/OTP SSH Vulnerability Enables RCE
- China-Backed Hackers Escalate Cyber Campaigns, Targeting Operational Technology
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
