Full Report
Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices.BackgroundOn April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the OpenWall vulnerability mailing list. Additionally an official advisory was posted to the GitHub project for Erlang/OTP crediting the researchers for their disclosure.CVEDescriptionCVSSv3VPRCVE-2025-32433Erlang/OTP SSH Remote Code Execution Vulnerability10.010*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 18 and reflects VPR at that time.AnalysisCVE-2025-32433 is a remote code execution (RCE) vulnerability affecting the Erlang/OTP SSH server. The vulnerability exists due to a flaw in the SSH protocol message handling which could allow an unauthenticated attacker to execute arbitrary code. According to the advisory, all users running Erlang/OTP SSH servers are impacted and to assume impact if your application utilizes the Erlang/OTP SSH library. This vulnerability received the maximum CVSSv3 score of 10.0 and when the SSH daemon is running as root, allows an attacker to completely compromise an affected device.At the time this blog was published, no known exploitation has been observed, however with the ease of exploitation and critical severity, we anticipate attacks will occur soon.Proof of conceptOn April 17, researchers at Platform Security released a public proof-of-concept (PoC) exploit for CVE-2025-32433. The writeup notes that the PoC was generated with the help of ChatGPT and Cursor, and that it was fairly simple to do so using those AI tools.The PoC initiates an SSH protocol negotiation as a normal client would. But, before authenticating the user, the client sends an unexpected message with an arbitrary command. The vulnerable server will process these messages and execute the commands. A patched server will disconnect immediately upon seeing these messages prior to authentication.An additional PoC has been released, and the Horizon3 Attack Team posted on X (formerly Twitter) that they had developed a PoC but have chosen not to release it as of writing.Just finished reproducing CVE-2025-32433 and putting together a quick PoC exploit — surprisingly easy. Wouldn’t be shocked if public PoCs start dropping soon. If you’re tracking this, now’s the time to take action. #Erlang #SSH pic.twitter.com/hBqJMfFHMN— Horizon3 Attack Team (@Horizon3Attack) April 17, 2025SolutionErlang/OTP has released patches to address this vulnerability.Affected VersionsFixed VersionsOTP-27.3.2 and belowOTP-27.3.3OTP-26.2.5.10 and belowOTP-26.2.5.11OTP-25.3.2.19 and belowOTP-25.3.2.20If immediate patching cannot be performed, restricting access via a firewall or disabling the SSH server are mitigation steps provided by Erlang/OTP. However, we strongly recommend upgrading as soon as possible to fully remediate this vulnerability.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-32433 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Get more informationOpenwall mailing list announcement for CVE-2025-32433Advisory for CVE-2025-32433Join Tenable's Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Erlang/OTP SSH Unauthenticated Remote Code Execution
## CVE Details
- CVE ID: CVE-2025-32433
- CVSS Score: Not explicitly stated in the provided text, but the vulnerability description suggests a critical severity due to RCE. (Assuming high/critical based on impact)
- CWE: Not explicitly stated in the provided text.
## Affected Systems
- Products: Erlang/OTP (specifically the SSH implementation)
- Versions: Not explicitly detailed in the provided summary text. The specific patch information points to where vulnerable versions are addressed.
- Configurations: Vulnerable when using the SSH component.
## Vulnerability Description
The vulnerability is an Unauthenticated Remote Code Execution flaw residing within the SSH implementation of Erlang/OTP. This type of flaw typically allows an attacker to execute arbitrary code on the target system without needing any credentials.
## Exploitation
- Status: Context implies this is a newly disclosed vulnerability; status like "Exploited in the wild" is not confirmed in the excerpt. Research would be needed to confirm exploitation status.
- Complexity: Unauthenticated RCE is typically **Low** complexity, provided a reliable exploit exists.
- Attack Vector: **Network** (exploited over the SSH service).
## Impact
Assuming successful Unauthenticated Remote Code Execution:
- Confidentiality: **High** (Access to system data)
- Integrity: **High** (Ability to modify or sabotage system files/operations)
- Availability: **High** (Full system takeover or denial of service achievable)
## Remediation
### Patches
Specific patch versions are not listed directly, but the advisory link indicates where to find the official fix:
- See the official GitHub Advisory for patched versions: `https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2`
### Workarounds
No specific workarounds were detailed in the provided excerpt, but generally, the immediate workaround for an unauthenticated RCE on SSH would be:
- Restricting network access to the SSH port (usually TCP/22) to trusted IP addresses only.
## Detection
- Indicators of Compromise (IOCs): Exploitation would likely involve abnormal process spawning or network behavior originating from the SSH daemon process.
- Detection methods and tools: Searching for signs of remote command execution originating from the Erlang/OTP SSH service in system logs or using Tenable plugins once fully available for this CVE. View Tenable updates here: `https[:]//www.tenable.com/cve/CVE-2025-32433/plugins`
## References
- Vendor Advisories: [GitHub Advisory for CVE-2025-32433](https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2)
- Additional Information: [Openwall mailing list announcement](https://www.openwall.com/lists/oss-security/2025/04/16/2)