A critical security vulnerability, CVE-2025-32433, has emerged in the Erlang/Open Telecom Platform (OTP) SSH implementation, with a maximum CVSS score of 10.0. This flaw enables attackers with network access to execute arbitrary code without authentication due to improper handling of SSH protocol messages. If exploited, particularly when the SSH daemon runs as root, it grants attackers full control over devices, risking unauthorized data access. Users are advised to update their libraries to the latest versions and implement firewall rules as necessary mitigations.
The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication, according to researchers.
All users running an SSH server based on the Erlang/OTP SSH library are likely affected by CVE-2025-32433.
If the daemon process is running as root, it enables the attacker to have full control of the device, paving the way for unauthorized access.
Any service using Erlang/OTP's SSH library for remote access, such as those in OT/IoT devices, is at risk.
Collection
[
|
...
]