Detections
Analytics

Erlang/OTP 17.0 < 25.3.2.20 / 26.2 < 26.2.5.11 / 27.0 < 27.3.3 RCE (CVE-2025-32433)

critical Nessus Plugin ID 240117

Language:

Synopsis

The remote host is missing a security update.

Description

The version of Erlang/OTP installed on the remote host is 17.0 prior to 25.3.2.20, 26.2 prior to 26.2.5.11, or 27.0 prior to 27.3.3. It is, therefore, affected by a remote code execution vulnerability where a serious vulnerability has been identified in the Erlang/OTP SSH server that may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Erlang/OTP version 25.3.2.20, 26.2.5.11, or 27.3.3 or later.

See Also

https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

Plugin Details

Severity: Critical

ID: 240117

File Name: erlang_otp_27_3_3.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 6/17/2025

Updated: 6/17/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 10.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-32433

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:erlang:erlang%2fotp

Required KB Items: installed_sw/Erlang-OTP

Patch Publication Date: 4/12/2025

Vulnerability Publication Date: 4/12/2025

Reference Information

CVE: CVE-2025-32433