Erlang/OTP CVE-2025-32433 (CVSS 10): Critical SSH Flaw Allows Unauthenticated RCE

A critical vulnerability has been discovered in the SSH server component of Erlang/OTP, a technology widely used in telecommunications, distributed systems, and real-time platforms. The flaw, now tracked as CVE-2025-32433, has been assigned a CVSS score of 10, the highest severity rating possible, due to the ease of exploitation and its potential impact.

For those unfamiliar, Erlang is a powerful programming language and runtime system designed for building highly scalable, fault-tolerant, and soft real-time systems. OTP (Open Telecom Platform) is a suite of Erlang libraries, including the Erlang runtime system and numerous ready-to-use components. These technologies are foundational for many applications requiring high availability and reliability.

The vulnerability allows unauthenticated remote code execution (RCE) on any host running an Erlang/OTP SSH server, enabling attackers to take full control of affected systems without valid credentials.

“A serious vulnerability has been identified in the Erlang/OTP SSH server that may allow an attacker to perform unauthenticated remote code execution,” the official Ericsson security advisory states. “By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.”

The Erlang/OTP team has issued a warning: “All users running the Erlang/OTP SSH server are impacted by this vulnerability, regardless of the underlying Erlang/OTP version. If your application provides SSH access using the Erlang/OTP SSH library, assume you are affected.”

The Erlang/OTP team extends its gratitude to Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and Jörg Schwenk from the Ruhr University Bochum for their responsible disclosure of this vulnerability.

Ericsson has provided clear mitigation strategies:

• Update Immediately: The most critical action is to update to the patched versions: OTP-27.3.3 (for OTP-27), OTP-26.2.5.11 (for OTP-26), or OTP-25.3.2.20 (for OTP-25).
• Temporary Workaround: “Until upgrading to a fixed version, we recommend disabling the SSH server or to prevent access via firewall rules.” If immediate updates are not possible, these temporary measures should be implemented to minimize risk.

Related Posts:

• SSH Security Breach: Researchers Discover Vulnerability in Crypto Keys
• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts