Full Report
A critical security vulnerability has been disclosed in the Erlang/Open Telecom Platform (OTP) SSH implementation that could permit an attacker to execute arbitrary code sans any authentication under certain conditions. The vulnerability, tracked as CVE-2025-32433, has been given the maximum CVSS score of 10.0. "The vulnerability allows an attacker with network access to an Erlang/OTP SSH
Analysis Summary
# Vulnerability: Critical Unauthenticated Remote Code Execution in Erlang/OTP SSH Implementation
## CVE Details
- CVE ID: CVE-2025-32433
- CVSS Score: 10.0 (Critical)
- CWE: (Not explicitly mentioned, but related to improper input/message handling)
## Affected Systems
- Products: Erlang/OTP SSH implementation
- Versions: All users running an SSH server based on the Erlang/OTP SSH library are potentially affected. Specific fixed versions indicate prior versions are vulnerable.
- Configurations: Systems running an SSH server using the vulnerable library. Highly critical if the daemon runs as root.
## Vulnerability Description
The vulnerability resides in the way the Erlang/OTP SSH implementation handles incoming SSH protocol messages. Specifically, it involves improper handling of connection protocol messages sent **prior to user authentication**. This flaw allows a network-accessible attacker to send malicious messages that bypass standard authentication policies and trigger arbitrary code execution within the context of the running SSH daemon process.
## Exploitation
- Status: Not explicitly detailed as 'in the wild', but the criticality implies high exploit motivation.
- Complexity: Low (Implied by unauthenticated network access achieving RCE).
- Attack Vector: Network
## Impact
- Confidentiality: High (If exploited, can lead to unauthorized access and manipulation of sensitive data, especially if the daemon runs as root).
- Integrity: High (Can result in the installation of ransomware or modification of system files).
- Availability: High (Potential for Denial-of-Service (DoS) depending on the executed code).
## Remediation
### Patches
Erlang/OTP has released fixes in the following versions:
- OTP-27.3.3
- OTP-26.2.5.11
- OTP-25.3.2.20
### Workarounds
Organizations unable to immediately upgrade should implement the following temporary mitigations:
1. **Restrict SSH Port Access:** Use firewall rules to limit access to vulnerable SSH servers to only known, authorized users/IP addresses.
## Detection
- **Indicators of Compromise (IoCs):** Look for SSH connection attempts or sessions that manage to interact with the system at the protocol level without completing a successful authentication handshake, or unexpected process execution originating from the SSH daemon.
- **Detection Methods and Tools:** Monitor network traffic directed at SSH ports for anomalous early protocol messages. Review logs for successful remote code execution behavior originating from the `sshd` process context.
## References
- Vendor Advisories: [erlang/otp security advisory (GHSA-37cp-fgq5-7wc2)](https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2)
- Relevant Links: [Erlang/OTP Release Page for Patches](https://github.com/erlang/otp/releases/tag/OTP-27.3.3)