Unauthenticated Remote Code Execution in Erlang/OTP SSH (CVE-2025-32433)
A serious vulnerability (CVE-2025-32433) has been identified in the Erlang/OTP SSH server that may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.
All users running the Erlang/OTP SSH server are impacted by this vulnerability, regardless of the underlying Erlang/OTP version. If your application provides SSH access using the Erlang/OTP SSH library, assume you are affected.
The vulnerability allows for unauthenticated remote code execution by malicious actors with network access to hosts running an Erlang/OTP SSH server. This could lead to compromise of said hosts, allowing for unauthorized access to and manipulation of sensitive data by third parties, or denial-of-service attacks.
Users are advised to update to OTP-27.3.3 (for OTP-27), OTP-26.2.5.11 (for OTP-26), or OTP-25.3.2.20 (for OTP-25) to mitigate this issue.
Blogger at www.systemtek.co.uk