The Erlang/Open Telecom Platform (OTP) SSH implementation has a critical security vulnerability. This vulnerability, tracked as CVE-2025-32433, could allow a malicious actor to execute arbitrary code with no authentication in certain conditions, and is considered a remote code execution (RCE) vulnerability. 

Thomas Richards, Infrastructure Security Practice Director at Black Duck, explains, “Remote code execution (RCE) vulnerabilities require immediate attention from corporate security teams. Not only should every system that uses this software be patched, forensics should also be conducted on the systems to determine if they were compromised to further manage software risk.” Richards elaborates on the risk, stating, “The issue stems from improper handling of SSH protocol messages that essentially permit an attacker to send connection protocol messages prior to authentication. Successful exploitation of the inadequacies could result in arbitrary code execution in the context of the SSH daemon. Further intensifying the risk, if the daemon process is running as root, it enables the attacker to have full control of the device, in turn, paving the way for unauthorized access to and manipulation of sensitive data or denial-of-service (DoS).” 

The vulnerability has been given a maximum CVSS score of 10.0. 

Mr. Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit, states, “CVE-2025-32433 in Erlang/OTP’s SSH implementation is extremely critical, warranting a CVSSv3 score of 10.0. Due to improper handling of pre-authentication SSH protocol messages, a remote threat actor can bypass security checks to execute code on a system. If the SSH daemon runs with root privileges — which is common in many deployments — the threat actor will gain complete control over the exploited host. This can allow the threat actor to perform actions such as installing a ransomware or siphon off sensitive data.

“Erlang is frequently found installed on high-availability systems due to its robust and concurrent processing support. A majority of Cisco and Ericsson devices run Erlang. Any service using Erlang/OTP’s SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation. Upgrading to the fixed Erlang/OTP or vendor supported versions will remediate the vulnerability. Should organizations need more time to install upgrades, they should restrict SSH port access to authorized users alone.”