Critical unauthenticated remote code execution flaw reported in Erlang/OTP SSH
Take action: If you are running Erlang based SSH service, time to update ASAP. You can isolate the SSH server to mitigate the impact but that doesn't really work long term. With a public PoC available and a scanner of vulnerable instances, hackers will start checking very quickly. So start patching NOW!
Learn More
A critical security vulnerability has been discovered in the Erlang/OTP SSH implementation.
The vulnerability is tracked as CVE-2025-32433 (CVSS score 10.0) and allows attackers with network access to execute arbitrary code on Erlang/OTP SSH servers without authentication.
The flaw was identified by a research team from Ruhr University Bochum in Germany. According to their disclosure, the vulnerability stems from improper handling of SSH protocol messages, specifically allowing connection protocol messages to be sent prior to authentication.
The vulnerability enables attackers to execute arbitrary code with the same privileges as the SSH daemon itself. Since many SSH daemons run with root privileges, this could lead to complete system compromise. The security implications are severe, potentially allowing:
- Unauthorized access to sensitive data
- Full system compromise
- Data manipulation
- Denial-of-service attacks
Horizon3's Attack Team has reported successfully reproducing the vulnerability, describing it as "surprisingly easy" to exploit. They demonstrated a proof-of-concept that writes files as root on affected systems, indicating that public exploits may soon emerge.
All users running SSH servers based on the Erlang/OTP SSH library are likely affected by this vulnerability. Erlang is a programming language commonly used in telecom infrastructure and high-availability systems due to its fault-tolerance and concurrency capabilities. Erlang/OTP provides additional libraries, design principles, and tools, including the vulnerable SSH application used for remote access.
Users are advised to update to the latest available Erlang/OTP releases immediately. The fixed versions include:
- OTP-27.3.3
- OTP-26.2.5.11
- OTP-25.3.2.20
For systems that cannot be easily updated, such as industrial or mission-critical devices, administrators should implement alternative mitigation strategies:
- Restrict SSH access to trusted IP addresses using firewall rules
- Disable the SSH daemon if remote access is not required
Update - as of 22nd of April 2025, the exploit PoC is publicly available. There is also a tool to scan for vulnerable SSH instances.
As of 24th of April 2025, multiple vendors have reported their products affected versions:
- Ericsson:
- Uses Erlang/OTP SSH in products designed for fault-tolerant, distributed applications
- Affected products include switches like AXD301
- Ericsson has not yet provided an overview of affected products or remediation guidance
- Cisco:
- Has published a security alert which they plan to update continuously
- Confirmed vulnerable products include:
- ConfD and ConfD Basic - exhibit vulnerability but remain protected from RCE due to configuration safeguards.
- Network Services Orchestrator (error-corrected software promised for May 2025)
- Smart PHY
- Intelligent Node Manager
- Ultra Cloud Core (Subscriber Microservices Infrastructure)
- Wide Area Application Services (WAAS): Acceleration and optimization infrastructure (Under Investigation)
- Catalyst Center (formerly DNA Center): Enterprise network management hub (Under Investigation)
- Confirmed unaffected products include:
- IOS
- IOS XE
- IOX XR
- SD-WAN
- ISE
- Other affected or potentially affected vendors:
- EMQ Technologies (confirmed vulnerable)
- National Instruments (optional installation)
- Broadcom (especially RabbitMQ, optional installation)
- Very Technology (optional installation)
- Apache (CouchDB, optional installation)
- Riak Technologies (optional installation)
