External risk intelligence

Erlang/OTP SSH Server Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2025-32433

A vulnerability in Erlang/OTP's SSH server could allow unauthorized remote code execution. This impacts organizations using affected systems, potentially exposing sensitive data and business operations to risk. Immediate remediation is advised.

4Halo Surface Signal

Missing Authentication

Erlang\/otp

before 25.3.2.2026.0 to before 26.2.5.1127.0 to before 27.3.3before 7.7.19.18.0.18 to before 8.1.16.28.2 to before 8.2.11.18.3 to before 8.3.8.18.4 to before 8.4.4.1before 5.7.19.1;...

External exposure likelihood

Halo Surface Signal score for CVE-2025-32433

The vulnerability affects an SSH server component widely embedded in edge services, network appliances, and remote access gateways. SSH is a common, internet-reachable management protocol, and many affected products, such as routers and network orchestration software, are frequently deployed in roles that require external accessibility for remote administration or infrastructure connectivity.

Horizon Alert

Summary of the vulnerability and why it matters

The Erlang/OTP SSH server contains a vulnerability that could allow an attacker to execute arbitrary commands without authentication. This flaw arises from an improper handling of SSH protocol messages. Exploitation could lead to unauthorized access and control over affected systems.

Erlang/OTP SSH server
Unauthenticated remote code execution
Compromised systems and data

Attack Path

How an attacker could exploit the issue

A vulnerability exists in the SSH server component of Erlang/OTP, allowing attackers to execute commands remotely without authentication. This flaw stems from improper handling of SSH protocol messages. Successful exploitation can grant unauthorized access and control over affected systems.

Network exposure required.
Attacker gains unauthorized access.
Arbitrary code execution occurs.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for remote code execution without authentication, posing a significant risk to affected organizations. An attacker could gain unauthorized access to systems and execute arbitrary commands. Due to the ease of exploitation and potential for widespread compromise, this vulnerability should be treated with urgency.

Attacker skill level: Low
Required access or conditions: Network access
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The identified vulnerability in Erlang/OTP's SSH server presents a critical risk, potentially allowing unauthenticated remote code execution. Organizations should prioritize immediate actions to identify and mitigate exposure to this threat. Understanding the scope of affected systems is the first step, followed by implementing measures to reduce the attack surface.

Locate all instances of affected software.
Restrict SSH access or disable the SSH server.
Update to the vendor-provided fix and verify its application.
Monitor for any related suspicious activity.

Frequently asked questions

What is Erlang/OTP and how is it used?

Erlang/OTP is a set of libraries for the Erlang programming language. It is used to build scalable, real-time, distributed, and fault-tolerant systems, often found in telecommunications and high-availability applications. It provides the foundation for many software products.

What is the vulnerability in Erlang/OTP SSH servers (CVE-2025-32433)?

CVE-2025-32433 is a critical vulnerability related to how Erlang/OTP's SSH server handles certain messages. It's classified as CWE-306, meaning it involves an authentication bypass. This flaw could allow an attacker to execute commands on a system without needing any login credentials.

How can an attacker exploit the Erlang/OTP SSH flaw?

An attacker can exploit this vulnerability by sending specially crafted SSH protocol messages to an affected server. This bypasses the normal authentication process, allowing them to execute arbitrary commands remotely. The vulnerability is triggered by flaws in message handling before authentication is fully established.

Who should be concerned about this Erlang/OTP SSH vulnerability?

Organizations running Erlang/OTP with its SSH server enabled should be concerned. According to the Halo Surface Signal, this vulnerability is rated as 'Likely' to be exposed externally because SSH is a common internet-facing management protocol. Products like network appliances and remote access gateways that use Erlang/OTP are often accessible from the internet.

What are the first steps to address the Erlang/OTP SSH vulnerability?

The immediate steps are to update Erlang/OTP to a patched version: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. If an update is not immediately possible, a temporary workaround is to disable the SSH server or block access to it using firewall rules.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.