Critical Erlang/OTP Vulnerability (CVE-2025-32433) Enables Remote Code Execution

A severe security vulnerability has been identified in Erlang/OTP that allows remote attackers to execute arbitrary code without authentication on vulnerable systems. The flaw, designated as CVE-2025-32433, has received the highest possible severity rating of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Discovery and Impact

Security researchers from Ruhr University Bochum in Germany discovered the vulnerability, which affects all devices running the Erlang/OTP SSH daemon. The critical nature of this flaw has prompted urgent recommendations for immediate updates.

Affected Systems and Remediation

All systems using the Erlang/OTP SSH daemon are vulnerable. Users are strongly advised to upgrade to the following patched versions as soon as possible:

• OTP-27.3.3
• OTP-26.2.5.11
• OTP-25.3.2.20

Technical Details of the Vulnerability

Root Cause Analysis

Erlang/OTP (Open Telecom Platform) is a comprehensive framework that provides libraries, design patterns, and tools for building scalable distributed applications in Erlang. The vulnerability specifically affects the SSH application component that enables remote access.

The security flaw stems from incorrect processing of pre-authentication protocol messages in the SSH daemon. According to information shared in the Openwall mailing list, “The problem is associated with a lack of SSH messages, which is why the attacker gets the opportunity to send messages before authentication.”

Privilege Escalation Concerns

Commands executed through this vulnerability run with the same privileges as the SSH daemon itself. Since many deployments run the daemon with root privileges, successful exploitation could lead to complete system compromise.

Exploit Development Already Underway

Security researchers at Horizon3 team report they have successfully reproduced the vulnerability and developed a “surprisingly simple” exploitation method. They have already created a proof-of-concept exploit capable of writing files to the filesystem with root privileges on vulnerable systems.

The team warns that public proof-of-concept exploits will likely emerge very soon, which would trigger widespread attacks targeting this vulnerability.

Recommended Mitigations

Organizations are strongly encouraged to implement the following security measures:

1. Update immediately to the fixed versions before public exploits become available
2. If patching isn’t immediately possible:
   • Restrict SSH access to trusted IP addresses only
   • Temporarily disable the SSH daemon until patches can be applied

About Erlang/OTP

Erlang/OTP (Open Telecom Platform) is a powerful development framework designed for building robust, fault-tolerant distributed systems. Originally developed by Ericsson for telecommunications infrastructure, it’s now widely used across various industries for applications requiring high availability and scalability. The platform includes the Erlang programming language along with a comprehensive set of libraries, design patterns, and tools that facilitate the development of concurrent and distributed systems.