CVE-2025-32433

critical

Description

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

From the Tenable Blog

CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability
CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability

Published: 2025-04-18

Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices.

References

Details

Source: Mitre, NVD

Published: 2025-04-16

Updated: 2025-04-25

Named Vulnerability: ZbyteNamed Vulnerability: Erlang/OTP SSH Unauthenticated Remote Code Execution VulnerabilityNamed Vulnerability: Erlang SSH pre-authentication vulnerability

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.50208

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest