CVE-2025-32433: Vulnerability in Erlang/OTP SSH Implementation

In April 2025, a critical vulnerability identified as CVE-2025-32433 was disclosed in the SSH implementation of Erlang/OTP (Open Telecom Platform), a programming language and runtime environment used for building scalable and fault-tolerant systems. This flaw affects certain versions of Erlang/OTP and arises from improper handling of SSH protocol messages, potentially allowing unauthenticated attackers to execute arbitrary code on affected systems.​

• CVE ID: CVE-2025-32433
• Severity: Critical
• CVSS Score: 10
• EPSS Score: 0.67%
• Published: April 16, 2025
• Affected Versions: OTP-27.0-rc1 to < OTP-27.3.3, OTP-26.0-rc1 to < OTP-26.2.5.11, All versions < OTP-25.3.2.20
• Patched Versions: OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20​
  

The vulnerability stems from a flaw in the SSH protocol message handling within Erlang/OTP’s SSH server. Specifically, the server fails to properly enforce the SSH protocol sequence, allowing an attacker to send certain protocol messages before authentication is completed. This oversight enables the attacker to execute arbitrary code on the server without providing valid credentials.​

The issue was discovered by researchers Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk from Ruhr University Bochum, who disclosed their findings on April 16, 2025. The vulnerability has been assigned the maximum CVSS score of 10.0, indicating its critical severity.

• Access to a system running a vulnerable version of Erlang/OTP with the SSH module enabled.​
  

An attacker can initiate an SSH connection to the vulnerable server and send specially crafted protocol messages before the authentication phase. Due to the improper handling of these messages, the server processes them, leading to the execution of arbitrary commands. If the SSH daemon is running with elevated privileges (e.g., as root), this can result in complete system compromise.

Proof-of-concept (PoC) code demonstrating this exploit has been publicly released, increasing the risk of widespread exploitation.

An attacker could leverage the publicly available PoC available on GitHub to compromise vulnerable systems, like the one found in our OffSec CVE Lab (available in our Offensive Cyber Range).

• Review Erlang Open Telecom Platform SSH logs for unusual connection attempts or authentication failures.
  • OpenSSH is not vulnerable to CVE-2025-32433. Default SSH in Linux and BSD systems is not vulnerable.
• Monitor for unexpected behavior in applications relying on Erlang/OTP’s SSH module.​
  

• Implement intrusion detection systems (IDS) to alert on anomalous SSH traffic patterns.
• Use file integrity monitoring tools to detect unauthorized changes to system files.​
  

Upgrade to the patched versions of Erlang/OTP:

• OTP-27.3.3
• OTP-26.2.5.11
• OTP-25.3.2.20
  

These updates address the vulnerability by correcting the SSH protocol message handling logic. 

• Disable the Erlang/OTP SSH server if it’s not required.
• Implement firewall rules to restrict access to the SSH server, allowing only trusted IP addresses.
• Implement additional authentication mechanisms to secure SSH access.​
  

• NVD Entry for CVE-2025-32433
• Erlang/OTP Official Website
• Erlang/OTP GitHub Repository
• Erlang Security Advisory via GitHub