Threat Insight

Critical CVE-2025-32433: Erlang/OTP SSH Remote Code Execution Vulnerability

A critical remote code execution (RCE) vulnerability[1] in the Erlang/OTP SSH library and has been given the maximum CVSS score of 10.0. It arises due to improper handling of certain SSH protocol messages, allowing attackers to execute arbitrary code on vulnerable systems without authentication.

2025-04-18
Insight

If the daemon process is running as root, exploiting this vulnerability enables attackers to take full control of affected systems. They can read sensitive data, manipulate system operations, and even cause service outages. Attackers exploit the vulnerability in IoT devices running outdated Erlang/OTP libraries, gaining control over devices in smart homes or industrial environments. Attackers only need to initiate a connection to a vulnerable SSH server—no prior authentication is required.

CVE

CVE-2025-32433

Affected Products

<= OTP-27.3.2 <= OTP-26.2.5.10 <= OTP-25.3.2.19

Recommended Actions

Update to one of the patched version of OTP: OTP-27.3.3 OTP-26.2.5.11 OTP-25.3.2.20 If immediate patching is not feasible, we recommend disabling the SSH server or to prevent access via firewall rules.

References

[1] https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2