A critical security vulnerability was disclosed in Erlang/Open Telecom Platform (OTP) Introducing SSH, which can allow the attacker to perform an arbitrary code under certain conditions.
Vulnerability tracked as Cve-2025-32433Received the maximum CVSS 10.0 score.
“The vulnerability allows the attacker with the network access to the Erlang/OTP SSH server to perform arbitrary code without pre -authentication,” – researchers of the Ruhr Bochum Fabian Bäumer, Marcus Brinkmann, Marcel Maehren and Jörg Schwenk – Note.
The problem follows from improper processing of SSH reports, which essentially allow the attacker to send reports of the connection protocol before authentication. Successful exploitation of disadvantages can lead to arbitrary code in context Ssh daemon.
In addition, worsening the risk when the Demon process works as a root, it allows the attacker to have full control over the device, in turn, opening the way to unauthorized access and manipulation with sensitive data or refusal (DOS).
On all users running on the SSH server based on the Erlang/OTP SSS library, probably Cve-2025-32433. Recommended update to the versions of OTP-27.3, OTP-26.5.11 and OTP-25.3.2.20. As temporary solutions, access to vulnerable SSH servers can be prevented by the relevant firewall rules.
In a statement shared with Hacker News, Mayuresh Dani, a security manager in Qualys, named the vulnerability extremely critical and that it could allow the actor threatening to perform actions such as installing redemption or disabling sensitive data.
“Erlang is commonly found in high availability systems due to reliable and simultaneous processing support,” Dani said. “Most Cisco and Ericsson devices control Erland.”
“Any service using the SSH Erlang/OTP library for remote access such as those used in OT/Iot devices, Edge Computing Devices are sensitive. Update to fixed Erlang/OTP or verse vendors that are supported by suppliers, they will repair the impulse. Limit Access to the SSSH port supported by the user.
