A critical remote code execution (RCE) vulnerability in Erlang/OTP's SSH server, tracked as CVE-2025-32433, is actively being exploited in the wild. This flaw, which has been assigned a maximum CVSS score of 10, allows attackers to execute code without authentication by exploiting a flaw in SSH protocol message handling. The vulnerability affects versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.
The vulnerability was publicly disclosed on April 16, 2025, and has since been added to the Known Exploited Vulnerabilities (KEV) catalog as of June 9, 2025. With an Exploit Prediction Scoring System (EPSS) score of 0.540, the likelihood of exploitation is significant, and the vulnerability was exploited within 53 days of its disclosure. The Security Severity Vulnerability Classification (SSVC) has marked this as an 'act' situation, indicating immediate action is necessary.
Proof-of-concept (PoC) exploits have proliferated, with 38 available, and at least one exploit has been confirmed in active use. This widespread availability of PoC code increases the risk of exploitation, as it lowers the barrier for attackers to leverage the vulnerability.
The vulnerability stems from improper handling of SSH protocol messages, which can be manipulated to bypass authentication and execute arbitrary code on the affected system. This makes it a prime target for attackers seeking to gain unauthorized access to systems running vulnerable versions of Erlang/OTP.
Organizations using Erlang/OTP are urged to upgrade to the patched versions immediately to mitigate the risk of exploitation. The urgency is underscored by the vulnerability's critical severity and active exploitation status. Defenders should prioritize patching and review their systems for any signs of compromise, especially if they have been running vulnerable versions of the software.
Given the critical nature of this vulnerability and its active exploitation, it is imperative for organizations to act swiftly. Monitoring for unusual activity and ensuring systems are updated to the latest secure versions are crucial steps in defending against potential attacks leveraging CVE-2025-32433.
CSURFACE