Public Exploits Released for Critical Erlang/OTP SSH Flaw, Patch Now
A critical vulnerability has been discovered in the Erlang/OTP SSH protocol, allowing unauthenticated attackers to remotely execute code on devices running the daemon. The vulnerability, tracked as CVE-2025-32433, has now been publicly disclosed, with multiple researchers creating exploits that can achieve remote code execution on vulnerable systems.
The issue is caused by a flaw in the SSH protocol message handling, which allows an attacker to send connection protocol messages prior to authentication, according to a disclosure on the OpenWall vulnerability mailing list. The flaw was fixed in versions 25.3.2.10 and 26.2.4, but given the widespread use of Erlang/OTP SSH in telecom infrastructure, databases, and high-availability systems, it may be challenging for device administrators to update devices immediately.
However, the situation has become more urgent as multiple cybersecurity researchers have privately created exploits that can achieve remote code execution on vulnerable devices. This includes Peter Girnus of the Zero Day Initiative and researchers from Horizon3, who said the flaw was surprisingly easy to exploit.
The Flaw: A Critical Security Vulnerability
The Erlang/OTP SSH vulnerability is a serious security concern that can be exploited by threat actors. The vulnerability allows an attacker to send malicious connection protocol messages before authentication, which can lead to remote code execution and potentially allow the attacker to gain control of the device.
Public Exploits Available
Public exploits for the Erlang/OTP SSH vulnerability are now available, making it easier for threat actors to scan for vulnerable systems and exploit them. The exploits were published on GitHub by ProDefense and anonymously on Pastebin, with both quickly being shared on social media.
Expert Warning: Act Now
"SSH is the most commonly used remote access management protocol, so I expect this combination to be widespread in critical infrastructure," said Peter Girnus of the Zero Day Initiative. "It's a bit concerning especially considering how frequently telcos are targeted by nation-state APTs such as Volt and Salt Typhoon for example."
Impact: Over 600,000 Devices Vulnerable
A Shodan query shared by Girnus indicates that over 600,000 IP addresses are running Erlang/OTP, mostly CouchDB instances. This highlights the severity of the vulnerability and the potential impact it can have on critical infrastructure.
Advice: Upgrade Immediately
"Now that public exploits are available, it is strongly advised that all devices running Erlang OTP SSH be upgraded immediately before threat actors compromise them," emphasizes Girnus. The sooner these updates are applied, the better protected against potential exploitation and unauthorized access.
Conclusion: Act Swiftly to Protect Against Exploitation
The public disclosure of this critical vulnerability highlights the importance of vigilance in maintaining system security. Threat actors will soon begin scanning for vulnerable systems and exploiting them, making it crucial to act swiftly to protect against exploitation. All devices running Erlang OTP SSH must be upgraded immediately to prevent unauthorized access and potential data breaches.