CVE-2025-32433:
A critical pre-authentication remote code execution vulnerability in Erlang/OTP SSH server allows unauthenticated attackers to execute arbitrary commands. The issue is fixed in patched releases OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20; as a temporary workaround, SSH can be disabled or access restricted via firewall rules.
Score
A numerical rating that indicates how dangerous this vulnerability is.
10.0Critical- Published Date:Apr 16, 2025
- CISA KEV Date:Jun 9, 2025
- Industries Affected:20
54 DaysThreat Predictions
- EPSS Score:50.3
- EPSS Percentile:98%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:CHANGED
Impact
- Score:6.0
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
A critical pre-authentication remote code execution vulnerability in Erlang/OTP SSH server allows unauthenticated attackers to execute arbitrary commands. The issue is fixed in patched releases OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20; as a temporary workaround, SSH can be disabled or access restricted via firewall rules.
Overview
This CVE describes a critical flaw in Erlang/OTP's SSH server that could allow an attacker to execute arbitrary code without authentication by manipulating SSH protocol messages. The vulnerability is severe because it requires no credentials and can compromise affected systems remotely. Patches are provided in OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, with a recommended temporary mitigation of disabling the SSH server or restricting access via firewalls until upgrades are applied.
Remediation
- Upgrade Erlang/OTP to the patched releases: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20, depending on your current major/minor branch.
- If immediate upgrade is not feasible, temporarily disable the SSH server or constrain SSH access with firewall rules to prevent unauthenticated connections.
- After upgrading, verify the version is at or beyond the patched releases and re-enable SSH with normal access controls.
- Conduct a security review of SSH exposure (e.g., limit to trusted networks, rotate credentials only if there is evidence of compromise, monitor SSH logs for anomalous activity).
- Run post-patch vulnerability scans and verify that there are no lingering indicators of exploitation.
References
- - https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
- - https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12
- - https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f
- - https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891
- - http://www.openwall.com/lists/oss-security/2025/04/16/2
- - http://www.openwall.com/lists/oss-security/2025/04/18/1
- - http://www.openwall.com/lists/oss-security/2025/04/18/2
- - http://www.openwall.com/lists/oss-security/2025/04/18/6
- - http://www.openwall.com/lists/oss-security/2025/04/19/1
- - https://security.netapp.com/advisory/ntap-20250425-0001/
- - https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.py
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Apr 19, 2025
- CISA KEV Date:Jun 9, 2025
- Days Early:54 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
