On April 16th, 2025, Erlang/OTP team disclosed a critical vulnerability affecting their SSH server implementation [1]. CVE-2025-32433 is an unauthenticated remote code execution vulnerability with a CVSS score of 10.0 (Critical) that allows adversaries to run arbitrary code on vulnerable systems with elevated privileges. Erlang/OTP is commonly used in critical infrastructure; therefore, organizations are strongly urged to patch vulnerable SSH servers without delay.
In this blog, we explained how the Erlang/OTP SSH CVE-2025-32433 vulnerability works and how organizations can defend against CVE-2025-32433 attacks.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
Erlang/OTP is a programming language and platform designed for building highly concurrent, distributed, and fault-tolerant systems. Originally designed for telecommunications, it is widely adopted in networking infrastructure and distributed systems. It powers messaging platforms such as WhatsApp, which relies on Erlang's ability to handle millions of concurrent connections. It's also used in distributed databases like CouchDB and Riak, where the need for robust replication and fault tolerance is paramount. Moreover, Erlang/OTP is used in equipment that includes routers, industrial control systems, and smart sensors. For example, industrial automation systems and operational technology (OT) devices use Erlang/OTP-based software to manage and coordinate machinery, ensuring real-time responsiveness and fault isolation.
On April 16th, 2025, Erlang/OTP team disclosed a critical vulnerability identified in the SSH server implementation of Erlang/OTP. CVE-2025-32433 allows for unauthenticated remote code execution, meaning that an attacker can gain control of a system without needing to provide valid credentials. The root cause of the vulnerability lies in the SSH protocol message handling logic. Specifically, the server fails to properly reject certain types of protocol messages that are sent before the authentication phase of the SSH handshake. Using this vulnerability, adversaries can craft and send specially designed messages that are mistakenly accepted and processed by the server. The vulnerability has a CVSS score of 10.0 (Critical) and affects the Erlang/OTP versions listed below.
|
Product Name |
Affected Versions |
Fixed Versions |
|
Erlang/OTP |
OTP-27.3.2 and prior |
OTP-27.3.3 |
|
OTP-26.2.5.10 and prior |
OTP-26.2.5.11 |
|
|
OTP-25.3.2.19 and prior |
OTP-25.3.2.20 |
CVE-2025-32433 vulnerability is caused by a flaw in the way the Erlang/OTP SSH server handles protocol messages during the early stages of an SSH connection. Normally, an SSH server waits for a user to authenticate before accepting and processing certain types of messages, especially those that request access to execute commands. However, due to a missing check in the Erlang/OTP implementation, it is possible to send specific SSH messages before completing authentication and the server will mistakenly process them as if the user were already verified.
In an example exploitation attempt, the attacker sends a "channel open" message to start a session and follows it with a "channel request" message that includes a command, such as writing a file or launching a shell [2]. Typically, these messages are only allowed after successful authentication, but in this case, the server fails to block them. Since the server does not properly enforce authentication at this stage, it processes the request and executes the command as if it came from a trusted, logged-in user.
CVE-2025-32433 vulnerability is especially dangerous because the SSH daemon often runs with elevated privileges, frequently as root. This means that any command sent through the exploit is executed with full system privileges, giving the attacker complete control over the affected machine.
We also strongly suggest simulating the Erlang/OTP SSH CVE-2025-32433 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Erlang/OTP SSH CVE-2025-32433 vulnerability exploitation attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
88959 |
Erlang/OTP SSH Server Remote Code Execution Vulnerability Threat |
Network Infiltration |
|
56426 |
Erlang/OTP SSH Server Remote Code Execution Vulnerability Threat |
Email Infiltration (Phishing) |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] "Unauthenticated Remote Code Execution in Erlang/OTP SSH," GitHub. Available: https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
[2] M. Keeley, "How I Used AI to Create a Working Exploit for CVE-2025-32433 Before Public PoCs Existed," Apr. 17, 2025. Available: https://platformsecurity.com/blog/CVE-2025-32433-poc