A team of researchers from Ruhr University Bochum — Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk — have discovered a critical security vulnerability affecting the SSH implementation in Erlang/OTP. Tracked as CVE-2025-32433, the flaw has been assigned a CVSS v3.1 score of 10.0, the highest possible severity rating.
The vulnerability enables a malicious actor with network access to an Erlang/OTP SSH server to execute arbitrary code without any prior authentication. According to the researchers, the issue stems from a flaw in the SSH protocol message handling, where connection protocol messages sent prior to authentication can be exploited.
All users running an SSH server based on the Erlang/OTP SSH library are likely at risk. Applications that rely on Erlang/OTP SSH for remote access should assume they are affected unless confirmed otherwise.
Potential Impact
If exploited, the vulnerability allows an attacker to execute arbitrary code in the context of the SSH daemon. If the daemon operates with root privileges — a common configuration — the malefactor could gain full control over the compromised device. This level of access could enable:
- Unauthorized manipulation or theft of sensitive data
- Total system compromise
- The deployment of malware or ransomware
- Denial-of-service (DoS) attacks to be launched
Given the severity, the researchers emphasize that the flaw poses a significant risk to the security and integrity of affected systems.
Recommended Mitigations
Immediate action is advised. Users should update their systems to the latest patched versions of Erlang/OTP:
- OTP-27.3.3
- OTP-26.2.5.11
- OTP-25.3.2.20
For users unable to upgrade immediately, a temporary mitigation is to restrict network access to the SSH server through suitable firewall rules, blocking untrusted connections until patches can be applied.
Conduct Forensics
Thomas Richards, Infrastructure Security Practice Director at Black Duck, says RCE vulnerabilities require immediate attention from corporate security teams.
“Not only should every system that uses this software be patched, forensics should also be conducted on the systems to determine if they were compromised to further manage software risk. With a CVSS score of 10.0, CVE-2025-32433 in Erlang/OTP’s SSH implementation is as severe as it gets since SSH systems are often exposed to the internet for remote access.”
Bypassing Security Checks
Due to improper handling of pre-authentication SSH protocol messages, a remote threat actor can bypass security checks to execute code on a system, adds Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit. “If the SSH daemon runs with root privileges – which is common in many deployments – the threat actor will gain complete control over the exploited host. This can allow the threat actor to perform actions such as installing ransomware or siphoning off sensitive data”.
Dani says Erlang is frequently found installed on high-availability systems due to its robust and concurrent processing support, such as the majority of Cisco and Ericsson devices. “Any service using Erlang/OTP’s SSH library for remote access, such as those used in OT/IoT devices and edge computing devices, is susceptible to exploitation. Upgrading to the fixed Erlang/OTP or vendor-supported versions will remediate the vulnerability.”
Should firms need more time to install upgrades, they should restrict SSH port access to authorized users alone, Dani ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.