CVE-2025-32433

critical-risk

Published 2025-04-16

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

Do I need to act?

53.6% chance of exploitation in next 30 days

EPSS score — higher than 46% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Fix available

Upgrade to: 10e20b1dbe39b056fab430e50b08cb4f3696ae87, 9f6c4eb54823324d1e6f8cb95c15feb09f09044e, ae0052c7f891ce805e2b53493a5304e2ee008aeb

CVSS 10.0/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Erlang\/Otp

Confd Basic

Network Services Orchestrator

Cloud Native Broadband Network Gateway

Inode Manager

Smart Phy

Ultra Packet Core

Ultra Services Platform

Staros

Optical Site Manager

Ncs 2000 Shelf Virtualization Orchestrator Firmware

Enterprise Nfv Infrastructure Software

Ultra Cloud Core

Rv160W Firmware

Rv260 Firmware

Rv160 Firmware

Rv260P Firmware

Rv260W Firmware

Rv340 Firmware

Rv340W Firmware

Affected Vendors

Cisco Debian Erlang

References (14)

Patch https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12

Patch https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f

Patch https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891

Vendor Advisory https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

Mailing List http://www.openwall.com/lists/oss-security/2025/04/16/2

Mailing List http://www.openwall.com/lists/oss-security/2025/04/18/1

Mailing List http://www.openwall.com/lists/oss-security/2025/04/18/2

Mailing List http://www.openwall.com/lists/oss-security/2025/04/18/6

Mailing List http://www.openwall.com/lists/oss-security/2025/04/19/1

Third Party Advisory https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20250425-0001/

Exploit https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.py

Third Party Advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-...

/ 100

critical-risk

Severity 33/34 · Critical

Exploitability 25/34 · High

Exposure 21/34 · High