CVE-2025-32433: Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Enables Unauthenticated Remote Code Execution

A critical security vulnerability has been identified in the Erlang/Open Telecom Platform (OTP) SSH implementation, exposing systems to unauthenticated remote code execution. Tracked as CVE-2025-32433, the flaw has received a maximum CVSS severity score of 10.0, highlighting its widespread risk and urgency for immediate action.

🔍 What Is CVE-2025-32433?

According to security researchers Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk from Ruhr University Bochum, the vulnerability enables threat actors with network access to execute arbitrary code without authentication by exploiting improper handling of SSH protocol messages within Erlang/OTP.

This occurs because the SSH implementation accepts connection protocol messages before authentication is completed, giving attackers an opportunity to hijack the connection and inject malicious code.

⚠️ Why This Vulnerability Is Dangerous

Unauthenticated Exploitation: No credentials required for attack.

Root-Level Access: If the vulnerable SSH daemon runs with root privileges, attackers can gain full system control.

Data Breach Risk: May lead to theft of sensitive data, ransomware deployment, or denial-of-service (DoS) attacks.

Widespread Exposure: Erlang is commonly deployed in high-availability environments such as Cisco and Ericsson infrastructure, IoT devices, edge computing platforms, and telecom systems.

🛠️ Affected Versions & Patch Recommendations

All systems utilizing the Erlang/OTP SSH library are potentially vulnerable. Immediate action is necessary.

✅ Patched Versions:

OTP-27.3.3

OTP-26.2.5.11

OTP-25.3.2.20

If you're unable to upgrade immediately, implement firewall rules to restrict SSH port access to authorized IPs only as a temporary workaround.

“This is an extremely critical vulnerability. It allows attackers to install ransomware, exfiltrate data, and compromise critical infrastructure,” said Mayuresh Dani, Security Research Manager at Qualys.

 

“Erlang's widespread use in telecom and high-availability systems makes this a top-priority patching situation. Services relying on Erlang/OTP’s SSH, especially across OT/IoT environments, must act now.”

🔐 Cybersecurity Best Practices

To minimize your attack surface:

Update immediately to the latest secure Erlang/OTP version.

Restrict SSH access using firewall or network segmentation.

Monitor traffic for unusual SSH activity.

Implement intrusion detection systems (IDS) with SSH anomaly signatures.

Audit devices that may be using embedded Erlang environments.

📌 Conclusion

CVE-2025-32433 is a zero-click SSH vulnerability that demands immediate remediation. Organizations using Erlang/OTP must patch or isolate vulnerable systems without delay to prevent potential catastrophic breaches.