A critical remote code execution (RCE) vulnerability in Erlang/OTP’s SSH implementation (CVE-2025-32433) now has publicly available exploits, prompting urgent patching. The flaw, rated CVSS 10.0, allows unauthenticated attackers to execute arbitrary commands on affected systems by sending crafted SSH protocol messages during the handshake phase1. Over 600,000 exposed IPs—including telecom infrastructure, IoT devices, and databases like CouchDB—are at risk2.
TL;DR: Key Facts
- Severity: CVSS 10.0 (Critical)
- Impact: Unauthenticated RCE via SSH
- Affected: Erlang/OTP versions before 25.3.2.20, 26.2.5.11, and 27.3.3
- Exploits: Public PoCs released April 19, 20253
- Mitigation: Patch immediately or disable SSH if unused
Technical Breakdown
The vulnerability stems from improper handling of pre-authentication SSH messages, such as SSH_MSG_CHANNEL_OPEN requests. Attackers bypass authentication by chaining crafted messages during the handshake, embedding commands like exec /bin/sh to gain root access4. The Erlang/OTP SSH daemon often runs with elevated privileges, enabling full system compromise.
Proof-of-concept exploits leverage message type collisions during the key exchange phase. For example, Picus Security documented attack patterns where malformed packets trigger memory corruption in the Erlang BEAM virtual machine5. Horizon3 researchers confirmed the exploit is “trivial to weaponize” due to predictable heap layouts in unpatched versions.
Detection and Mitigation
Organizations should prioritize the following actions:
- Patch: Upgrade to OTP 25.3.2.20, 26.2.5.11, or 27.3.3.
- Network Controls: Restrict SSH access via firewalls; monitor for anomalous connection attempts (Picus Threat ID 88959)6.
- Log Analysis: Search for unusual SSH handshake failures or
channel_requestmessages containing command strings.
Truesec provides detection scripts to identify exploitation attempts, available on their blog7. APT groups like Volt Typhoon are actively targeting unpatched systems, particularly in telecom and industrial control environments8.
Conclusion
CVE-2025-32433 poses significant risk due to its widespread impact and ease of exploitation. Immediate patching is critical, especially for systems where SSH is exposed to untrusted networks. Organizations should also review secondary controls like network segmentation and privilege reduction for Erlang services.
