CVE-2025-32433: Critical Erlang/OTP SSH Vulnerability (CVSS 10)

A white warning icon with an exclamation mark is centered on a bright pink, patterned background. Below it, text reads: CVE-2025-32433: Critical Erlang/OTP SSH Vulnerability (CVSS 10).
Eliad Mualem, Upwind

By Eliad Mualem

Apr 17, 2025

On April 16, 2025, a critical remote code execution (RCE) vulnerability in Erlang’s SSH library was publicly disclosed. Tracked as CVE-2025-32433, this vulnerability received the maximum possible CVSS score of 10.0, signaling how severe and exploitable it is, especially in environments relying on Erlang/OTP for SSH access.

Overview

  • What: RCE via unauthenticated SSH messages in Erlang/OTP.
  • Impact: Full code execution, potentially as root, over the network.
  • Affected: Any system running an Erlang/OTP-based SSH server.
  • Fix: Upgrade to OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20.
  • Workaround: Restrict SSH access using firewall rules.

What is CVE-2025-32433?

Discovered by researchers at Ruhr University Bochum, the vulnerability is rooted in improper handling of SSH connection protocol messages in Erlang/OTP. Specifically, it allows attackers to send crafted messages before authentication is completed, leading to unauthenticated arbitrary code execution.

If the Erlang SSH daemon is running as root (a common configuration), successful exploitation can grant full system control, making it a prime candidate for ransomware, lateral movement, or data exfiltration.

Technical Overview

According to the RFC, SSH message numbers ≥ 80 are reserved for post-authentication protocols. If a client sends such a message before authentication, the server must disconnect immediately.

But in the vulnerable versions of Erlang/OTP, the SSH server did not enforce this rule, allowing attackers to inject crafted messages during the unauthenticated phase — leading to unauthorized code execution.

The patch introduces a new check in the handle_msg function for unauthenticated users.

handle_msg(Msg, Connection, server, Ssh = #ssh{authenticated = false}) ->
     %% See RFC4252 6.
     %% Message numbers of 80 and higher are reserved for protocols running
     %% after this authentication protocol, so receiving one of them before
     %% authentication is complete is an error, to which the server MUST
     %% respond by disconnecting, preferably with a proper disconnect message
     %% sent to ease troubleshooting.
     MsgFun = fun(M) ->
                      MaxLogItemLen = ?GET_OPT(max_log_item_len, Ssh#ssh.opts),
                      io_lib:format("Connection terminated. Unexpected message for unauthenticated user."
                                    " Message:  ~w", [M],
                                    [{chars_limit, MaxLogItemLen}])
              end,
     ?LOG_DEBUG(MsgFun, [Msg]),
     {disconnect, {?SSH_DISCONNECT_PROTOCOL_ERROR, "Connection refused"}, handle_stop(Connection)};

Copied

Impact

This CVE has several factors that make it a significant risk to organizations:

  • No credentials required: Attackers only need network access to the SSH server.
  • Common in critical systems: Erlang is widely used in high-availability environments, including telecom infrastructure (e.g., Cisco, Ericsson) and IoT/OT systems.
  • Silent takeover: Exploitation can happen without any user interaction, leaving minimal traces initially.

Any system using the Erlang/OTP SSH server component is potentially exposed. This includes:

  • Distributed systems built on Erlang.
  • Devices in telecom, IoT, and edge computing.
  • Custom services using Erlang/OTP’s SSH library for remote management.

Suggested Remediation

Apply the Patch

Upgrade your Erlang/OTP installation to one of the following patched versions:

  • OTP-27.3.3
  • OTP-26.2.5.11
  • OTP-25.3.2.20

If you’re using a vendor-supplied Erlang distribution (e.g., part of a Cisco or Ericsson product), monitor for official updates.

Apply Workarounds (If Patch Not Possible)

  • Restrict access to the SSH port (typically TCP/22) to trusted IPs only.
  • Use firewall rules to block access from untrusted networks.
  • Disable Erlang/OTP-based SSH if it’s not essential.

How Upwind Protects You From CVE-2025-32433

Upwind provides powerful tools to address and mitigate the risks associated with Erland/OTP SSH vulnerabilities.

  1. Find Vulnerable Packages: Upwind identifies and monitors the use of Erlang and OTP-27.3.3, OTP-26.2.5.11 and OTP-25.3.2.20 in your environment. Using Upwind’s SBOM explorer, you can easily find affected packages and view which resources are using them.
  2. Prioritize Risks: Understand the impact of these vulnerabilities in high-risk environments and prioritize upgrades or mitigations.
  3. Real-Time Detection: Upwind monitors runtime activity to catch exploitation attempts, like unauthenticated SSH traffic or abnormal code execution.
  4. Immediate Customer Support: Upwind proactively contacts affected customers with clear guidance on mitigation.

Learn More

To learn more about how Upwind can help you rapidly locate packages affected by CVE-2025-32433 or identify potential remote code execution attacks, schedule a demo.

CVE-2025-32433: Critical Erlang/OTP SSH Vulnerability (CVSS 10)

Further Reading

Blue and red gradient lines curve upward against a light blue background, intersected by orange circles. The word upwind with an underlined u appears in the upper left corner.
Research

Unpacking the Security Risks of Model Context Protocol (MCP) Servers

Screenshot 2024-09-25 at 9.12.26 AM Eliad Mualem, Upwind Moshe Hassan Upwind

By Avital Harel, Eliad Mualem & Moshe Hassan

Apr 18, 2025

Modern AI systems, especially large language models (LLMs), are no longer isolated engines responding to static inputs. They’re evolving into intelligent agents, copilots, and autonomous systems that interact with their environment, reason over external data, and adapt in real time. But there’s a fundamental problem: LLMs are powerful, but they don’t know anything outside of […]

Hexagonal icon with an N inside on a pink gradient background with angular lines. Text: IngressNightmare: Admission Webhook Flaw Leading to Remote Code Execution (CVE-2025-1974).
Research

IngressNightmare: How New ingress-nginx Vulnerabilities Threaten Kubernetes Clusters

Eliad Mualem, Upwind

By Eliad Mualem

Mar 25, 2025

Kubernetes administrators take note: a critical set of vulnerabilities in the popular ingress-nginx controller—collectively dubbed “IngressNightmare”—could put your entire cluster at risk. In particular, CVE-2025-1974, with a CVSS score of 9.8, allows attackers to take over Kubernetes clusters simply by exploiting the Validating Admission Controller feature. Because ingress-nginx runs in roughly 40% of Kubernetes deployments, […]

A pink background with concentric circles and a white bug icon in the center. Text reads, Next.js Middleware Authentication Bypass Vulnerability (CVE-2025-29927). Upwind logo in the top right corner.
Research

Next.js Middleware Authentication Bypass Vulnerability (CVE-2025-29927)

Eliad Mualem, Upwind

By Eliad Mualem

Mar 24, 2025

Next.js middleware plays a key role in securing applications by enforcing authentication, managing access control, and applying security headers. However, a newly discovered vulnerability, CVE-2025-29927, allows attackers to bypass these protections entirely using a manipulated HTTP header. Affected Versions This flaw affects the following versions: The Core Issue Next.js prevents infinite middleware loops by tracking […]

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo
Glossary

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2025, Upwind Security