Remote Code Execution Vulnerability in Erlang/OTP SSH Server
CVE-2025-32433

10CRITICAL

Key Information:

Vendor: Erlang
Status: Otp
Vendor: CVE Published:; 16 April 2025

Badges

🥇 Trended No. 1📈 Trended📈 Score: 14,800💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 54%🦅 CISA Reported📰 News Worthy

What is CVE-2025-32433?

CVE-2025-32433 is a remote code execution vulnerability found in the SSH server component of Erlang/OTP, a set of libraries used for the Erlang programming language. This vulnerability poses a threat by allowing attackers to exploit flaws in the handling of SSH protocol messages, enabling them to execute arbitrary commands on affected systems without needing valid authentication credentials. If left unaddressed, this issue could result in unauthorized access and significant operational disruption for organizations leveraging Erlang/OTP for critical applications.

Technical Details

The vulnerability is tied to specific versions of Erlang/OTP prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. It stems from improper handling of SSH protocol messages, which could allow unauthorized remote code execution (RCE). This flaw potentially exposes systems to unauthorized access by malicious actors. Organizations are advised to implement the patched versions to mitigate the risk or temporarily disable the SSH server or restrict access via firewall rules as a workaround.

Potential impact of CVE-2025-32433

Unauthorized System Access: Successful exploitation of the vulnerability allows attackers to execute arbitrary commands, which could lead to full system compromise and manipulation of sensitive data.
Operational Disruption: Gaining unauthorized control over systems can disrupt business operations, leading to potential downtime, loss of productivity, and financial impact.
Data Breaches: The potential for sensitive information exposure increases, risking data integrity and confidentiality, which could have legal and reputational repercussions for affected organizations.

CISA has reported CVE-2025-32433

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-32433 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

otp >= OTP-27.0-rc1, < OTP-27.3.3 < OTP-27.0-rc1, OTP-27.3.3

otp >= OTP-26.0-rc1, < OTP-26.2.5.11 < OTP-26.0-rc1, OTP-26.2.5.11

otp < OTP-25.3.2.20 < OTP-25.3.2.20

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-32433
Created by ProDefense

CVE-2025-32433
Created by LemieOne

CVE-2025-32433-Erlang-OTP-SSH-RCE-PoC
Created by omer-efe-curkus

News Articles

CISA (.gov)

CVE-2025-32433 CVE-2024-42009

CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

CISA has added two new vulnerabilities to its KEV Catalog, based on evidence of active exploitation

2 weeks ago

The Hacker News

CVE-2025-32433

CISA Adds Erlang SSH and Roundcube Flaws to Known Exploited Vulnerabilities Catalog

CISA warns of critical Erlang SSH and Roundcube vulnerabilities actively exploited, affecting servers and webmail users worldwide.

2 weeks ago

Help Net Security

CVE-2025-32433 CVE-2025-34028

Week in review: MITRE ATT&CK v17.0 released, PoC for Erlang/OTP SSH bug is public - Help Net Security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs