Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server (CVE-2025-32433)
CVE number – CVE-2025-32433
On April 16th 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device.
The vulnerability is due to a flaw in the handling of SSH messages during the authentication phase.
For a description of this vulnerability, see the Erlang announcement.
Cisco is investigating its product lines that include Erlang/OTP to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update it’s official advisory with information about affected products.
The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.
Please visit the following URL for a full list of affected Cisco products – https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy
Blogger at www.systemtek.co.uk