A critical security vulnerability has been disclosed in the Erlang/Open Telecom Platform (OTP) SSH implementation that could permit an attacker to execute arbitrary code sans any authentication under certain conditions.
The vulnerability, tracked as CVE-2025-32433, has been given the maximum CVSS score of 10.0.
"The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication," Ruhr University Bochum researchers Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk said.
The issue stems from improper handling of SSH protocol messages that essentially permit an attacker to send connection protocol messages prior to authentication. Successful exploitation of the shortcomings could result in arbitrary code execution in the context of the SSH daemon.
Further exacerbating the risk, if the daemon process is running as root, it enables the attacker to have full control of the device, in turn, paving the way for unauthorized access to and manipulation of sensitive data or denial-of-service (DoS).
All users running an SSH server based on the Erlang/OTP SSH library are likely affected by CVE-2025-32433. It's recommended to update to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. As temporary workarounds, access to vulnerable SSH servers can be prevented using appropriate firewall rules.
In a statement shared with The Hacker News, Mayuresh Dani, manager of security research at Qualys, described the vulnerability as extremely critical and that it can allow a threat actor to perform actions such as installing ransomware or siphoning off sensitive data.
"Erlang is frequently found installed on high-availability systems due to its robust and concurrent processing support," Dani said. "A majority of Cisco and Ericsson devices run Erlang."
"Any service using Erlang/OTP's SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation. Upgrading to the fixed Erlang/OTP or vendor-supported versions will remediate the vulnerability. Should organizations need more time to install upgrades, they should restrict SSH port access to authorized users alone."
Researchers Warn of Severe Consequences
Operational Technology (OT) security platform Frenos also emphasized the criticality of CVE-2025-32433, given its widespread deployment across critical infrastructure environments.
"The vulnerability exists because Erlang's SSH implementation doesn't properly enforce the SSH protocol sequence," the company said. "Normally, SSH requires strict authentication before allowing any channel operations. This vulnerability allows attackers to bypass this by sending channel operation messages before authentication completes."
"The consequences could be severe – from unauthorized access to sensitive industrial systems to complete disruption of critical infrastructure operations."
Horizon3.ai Demonstrates PoC
Cybersecurity firm Horizon3.ai said it has been able to devise a proof-of-concept (PoC) exploit for CVE-2025-32433 and that it was "surprisingly easy" to do so, making it imperative that users move quickly to apply the patches, if not already.
Cisco Says Multiple Products Affected
Network equipment maker Cisco has confirmed that several of its products, including ConfD, Network Services Orchestrator (NSO), Smart PHY, Intelligent Node Manager, and Ultra Cloud Core, are affected by CVE-2025-32433. Patches for ConfD and NSO are expected to be available by next month.
"While these products are vulnerable because they accept unauthenticated channel request messages, due to the product configuration they are not vulnerable to RCE," Cisco said.
Cybersecurity company Arctic Wolf, in an advisory published earlier this week, said Erlang is bundled into several products from the Apache Software Foundation, Broadcom, EMQ Technologies, Ericsson, National Instruments, Riak Technologies, and Very Technology.
There is no evidence that the vulnerability has been weaponized in a malicious context, although a proof-of-concept (PoC) exploit has since been made available.
"Erlang is widely used in networking equipment that forms the backbone of the internet, and SSH is used to establish secure connections on the control plane managing many of those devices," security researcher Andres Ramos said.
"This supply chain risk extends to industrial control systems (ICS) and operational technology (OT) devices, such as routers, switches, and smart sensors."
