Erlang/OTP SSH RCE Vulnerability Actively Exploited to Target OT Networks

A severe vulnerability, designated CVE-2025-32433 with a CVSS score of 10.0, has been identified in the Secure Shell (SSH) daemon of the Erlang programming language’s Open Telecom Platform (OTP).

This flaw permits unauthenticated remote code execution (RCE) by allowing attackers to send SSH connection protocol messages with codes greater than or equal to 80 to open SSH ports, which are intended to be processed only after successful authentication.

Affecting Erlang/OTP versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, the vulnerability poses a significant risk to critical infrastructure and operational technology (OT) networks where Erlang/OTP is commonly deployed for its fault-tolerant and scalable properties in concurrent systems.

Widely used in telecommunications, financial systems, and 5G environments, the native SSH implementation in OTP facilitates encrypted connections, file transfers, and command execution, making this improper state enforcement a direct pathway for arbitrary ...