Detections
Analytics

CVE-2025-32433

critical

Description

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

From the Tenable Blog

CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability
CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability

Published: 2025-04-18

Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices.

References

https://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html

https://security.netapp.com/advisory/ntap-20250425-0001/

https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891

https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f

https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12

https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.py

http://www.openwall.com/lists/oss-security/2025/04/19/1

http://www.openwall.com/lists/oss-security/2025/04/18/6

http://www.openwall.com/lists/oss-security/2025/04/18/2

http://www.openwall.com/lists/oss-security/2025/04/18/1

http://www.openwall.com/lists/oss-security/2025/04/16/2

Details

Source: Mitre, NVD

Published: 2025-04-16

Updated: 2025-04-25

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00307

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest