A critical flaw in Erlang’s Open Telecom Platform is under active attack. CVE-2025-32433 carries a CVSS score of 10.0 and allows remote code execution without authentication.
According to Palo Alto’s Unit 42 reseachers, it affects the platform’s native SSH daemon, used to manage hosts in telecom, 5G, and industrial systems.
Bad actors can send specific SSH protocol messages to open ports and gain control before authentication completes. A patch is available in OTP versions 27.3.3, 26.2.5.11, and 25.3.2.20. Until updated, administrators are advised to disable the SSH service or restrict access to trusted sources.
From May 1 to May 9, exploitation attempts rose sharply. Nearly three-quarters (75%) of detections came from firewalls in operational technology networks. Many vulnerable services were exposed on industrial ports, including TCP 2222, which is also used in automation protocols.
Healthcare, agriculture, media, entertainment, and high technology saw the highest OT impact. Education networks recorded the greatest overall number of attempts. In Japan, almost every detection came from OT environments. The United States saw the highest volume, with more than 1,900 OT-related signatures.
Two Main Payloads
Two main payload types have been observed. One opens a TCP connection bound to a shell for interactive commands. The other creates a reverse shell to a remote host on port 6667, often linked to botnet control.
Several payloads triggered DNS lookups to random subdomains under dns.outbound.watchtowr[.]com, a sign of out-of-band execution testing designed to avoid direct feedback.
Researchers note that exploitation comes in bursts. Peak activity days often match spikes in OT-specific triggers. This pattern complicates detection and suggests deliberate, targeted campaigns.
Almost 60% of all firewalls detecting attempts were in OT networks. These devices saw 160% more attempts per firewall than their IT counterparts. Exposure in education, healthcare, and high technology shows that OT risk is no longer confined to factories or utilities.
The convergence of IT and OT, combined with exposed industrial ports, has widened the attack surface.
Administrators should patch immediately, update intrusion prevention signatures, and enforce strict network segmentation.
This vulnerability shows how a flaw in a general-purpose software component can become an operational threat overnight. When attackers find a way into an operational network, they do not hesitate.
Disproportionately Affecting OT
April Lenhard, Principal Product Manager at Qualys, says the real danger with CVE-2025-32433 is that it’s not just an IT vulnerability: it is disproportionately affecting operational technology (OT) networks, and it’s already actively showing up in systems tied to critical infrastructure.
“Most known compromises involve OT assets that control physical processes like robotics, pumps, valves, or even safety systems. Exploitation could alter sensor readings, trigger outages, introduce safety risks, and cause physical damage,” Lenhard adds.
“By the time breaches are detected, attackers were often already inside the network through other means and simply moving laterally toward OT systems: this means they are exploiting the growing convergence of IT and OT systems to penetrate critical infrastructure across industries.”
Severe Consequences
Thomas Richards, Infrastructure Security Practice Director at Black Duck, adds that this vulnerability, if exploited, could have severe consequences for the organization, its network, and its operations.
“The attacker would have full control over the system which can result in a compromise of sensitive information and allow them to compromise additional hosts within the network. It would also allow an attacker to disrupt the operations of any connected systems. This is additionally concerning for any critical infrastructure as the disruption could negatively impact large portions of the population.”
He says addressing this vulnerability should be a top priority for any security team responsible for an OT network.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.