CVE-2025-32433
📋 TL;DR
This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated remote code execution. Attackers can exploit a flaw in SSH protocol message handling to execute arbitrary commands without valid credentials. Systems running vulnerable Erlang/OTP versions with SSH server enabled are affected.
💻 Affected Systems
- Erlang/OTP
📦 What is this software?
Cloud Native Broadband Network Gateway by Cisco
View all CVEs affecting Cloud Native Broadband Network Gateway →
Enterprise Nfv Infrastructure Software by Cisco
View all CVEs affecting Enterprise Nfv Infrastructure Software →
Ncs 2000 Shelf Virtualization Orchestrator Firmware by Cisco
View all CVEs affecting Ncs 2000 Shelf Virtualization Orchestrator Firmware →
Staros by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining root privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Unauthorized access leading to data theft, lateral movement within the network, and deployment of malware or cryptominers.
If Mitigated
Limited impact with proper network segmentation, but still potential for initial foothold in isolated segments.
🎯 Exploit Status
The vulnerability requires no authentication and appears to be in protocol handling, making exploitation relatively straightforward for skilled attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20
Vendor Advisory: https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
Restart Required: Yes
Instructions:
1. Identify Erlang/OTP version using 'erl -version'. 2. Download appropriate patched version from erlang.org. 3. Install following platform-specific instructions. 4. Restart all Erlang applications and SSH services.
🔧 Temporary Workarounds
Disable SSH Server
allCompletely disable SSH server functionality in Erlang/OTP applications
Modify application configuration to disable SSH daemon startup
Network Firewall Block
linuxBlock SSH port access at network perimeter
iptables -A INPUT -p tcp --dport 22 -j DROP
ufw deny 22
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems
- Deploy intrusion detection systems to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Run 'erl -version' and check if version is below OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20Check Version:
erl -versionVerify Fix Applied:
Confirm version is OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 or higher using 'erl -version'📡 Detection & Monitoring
Log Indicators:
- Unusual SSH connection attempts from unexpected sources
- Failed authentication attempts followed by successful connections
- Erlang/OTP crash logs related to SSH handling
Network Indicators:
- SSH traffic to Erlang applications from suspicious IPs
- Unusual outbound connections from Erlang hosts post-SSH connection
SIEM Query:
source="ssh_logs" AND (event="authentication failure" OR event="connection established") AND dest_port=22 AND application="erlang"🔗 References
- https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12
- https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f
- https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891
- https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
- http://www.openwall.com/lists/oss-security/2025/04/16/2
- http://www.openwall.com/lists/oss-security/2025/04/18/1
- http://www.openwall.com/lists/oss-security/2025/04/18/2
- http://www.openwall.com/lists/oss-security/2025/04/18/6
- http://www.openwall.com/lists/oss-security/2025/04/19/1
- https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html
- https://security.netapp.com/advisory/ntap-20250425-0001/
- https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.py
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32433
