Detections
Analytics
Erlang/OTP SSH Server Unauthenticated Remote Command Execution (CVE-2025-32433) (Direct Check)
critical Nessus Plugin ID 242072
Language:
Synopsis
The remote SSH server is affected by an unauthenticated remote command execution vulnerability.Description
The remote host is running an Erlang/OTP SSH server that is affected by an unauthenticated remote command exeuction vulnerability:- Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules. (CVE-2025-32433)
This plugin requires that both the scanner and target machine have internet access.
Solution
Upgrade to Erlang/OTP SSH server version OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 or later.See Also
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
Plugin Details
Severity: Critical
ID: 242072
File Name: erlang_otp_ssh_CVE-2025-32433.nbin
Version: 1.1
Type: remote
Family: Misc.
Published: 7/14/2025
Updated: 7/14/2025
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Critical
Score: 10.0
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2025-32433
CVSS v3
Risk Factor: Critical
Base Score: 10
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Information
CPE: cpe:/a:erlang:erlang%2fotp
Exploited by Nessus: true
Patch Publication Date: 4/16/2025
Vulnerability Publication Date: 4/16/2025
Reference Information
CVE: CVE-2025-32433
IAVA: 2025-A-0286