Unauthenticated Remote Code Execution in Erlang/OTP SSH (CVE-2025-32433)


Summary
Cyble's Security Update Advisory provides a synopsis of the latest vulnerability patches released by various vendors. This advisory discusses an Unauthenticated Remote Code Execution vulnerability disclosed in Erlang/OTP SSH.
Erlang OTP (Open Telecom Platform) is a powerful set of libraries, design principles, and tools built on the Erlang programming language. It is designed to support the development of highly scalable, fault-tolerant, and concurrent systems. Originally developed for telecom applications, OTP provides a robust framework that includes behaviors like gen_server and supervision trees, which simplify the creation of reliable, self-healing applications. It is widely used in distributed systems and real-time applications due to its ability to handle thousands of lightweight processes efficiently. Based on naming standards followed by Common Vulnerabilities and Exposures (CVE) and severity standards as defined by the Common Vulnerability Scoring System (CVSS), vulnerabilities are classified as high, medium, and lows.
Vulnerability Details
Missing Authentication for Critical Function
CVSSv3.1
10
Severity
Critical
Vulnerable Product/ Version
<= OTP-27.3.2
<= OTP-26.2.5.10
<= OTP-25.3.2.19
Description
The vulnerability exists because Erlang's SSH implementation doesn't properly enforce the SSH protocol sequence. Normally, SSH requires strict authentication before allowing any channel operations. This vulnerability allows attackers to bypass this by sending channel operation messages before authentication completes, allowing an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.
Additional Information
Multiple Proof of Concepts (POC) of CVE-2025-32433 are available in the public domain. - Link
What heightens the concern is Erlang’s extensive use within critical infrastructure and operational technology environments. Cisco estimates that around 2 million Erlang-powered devices are shipped each year. - Link
Mitigations
Until upgrading to a fixed version, it is recommended to disable the SSH server or to prevent access via firewall rules.
Patch Link
Recommendations
Implement the latest patches:
Regularly update all software and hardware systems with the most recent patches from official vendors. Create a standard schedule for applying patches and prioritize the immediate application of critical updates.
Develop a thorough patch management plan:
Include inventory tracking, patch evaluation, testing, deployment, and verification. Automate the process where feasible to enhance consistency and efficiency.
Incident response and recovery plan:
Develop and maintain a strategy for identifying, reacting to, and recovering from security incidents. Frequently test and update the strategy to ensure its effectiveness and relevance to current threats.
Monitoring and logging malicious activities across the network:
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
To mitigate risks associated with End-of-Life (EOL) products:
Proactively identify and assess their criticality. Plan for timely upgrades or replacements.
Monitor and Log SSH Activity:
Enable detailed logging. Continuously monitor SSH-related activity to detect anomalous or unauthorized connection attempts.
Disable Erlang/OTP SSH Server if Not Needed:
Consider disabling it entirely if the SSH server functionality provided by Erlang/OTP is not critical to eliminate the attack surface.
Implement Defense-in-Depth Controls:
Employ layered security mechanisms such as host-based firewalls, application whitelisting, strict user access controls, and network intrusion prevention systems (NIPS).
Conclusion
The vulnerability enables unauthenticated remote code execution by attackers with network access to systems running an Erlang/OTP SSH server. Successful exploitation could result in full system compromise, granting unauthorized access to sensitive data or enabling denial-of-service attacks. The presence of a publicly available proof-of-concept (PoC) significantly elevates the risk of exploitation, making unpatched systems particularly susceptible. Hence, applying available patches promptly is strongly recommended to mitigate potential threats.
Subscribe to my newsletter
Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
