Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
Security researchers report CVE-2025-32433, a CVSS 10.0 RCE vulnerability in Erlang/OTP SSH, allowing unauthenticated code execution on exposed systems.
A newly disclosed vulnerability in the Erlang/OTP SSH implementation could allow attackers to run code on affected systems without logging in. The flaw, tracked as CVE-2025-32433, was reported by researchers at Ruhr University Bochum and has been rated with a maximum CVSSv3 score of 10.0 due to its potential impact on systems using the widely deployed library.
Disclosed by researchers via the oss-security mailing list, the issue affects the SSH protocol message handling within Erlang/OTP, allowing attackers to send specially crafted messages before authentication takes place. If exploited, the vulnerability could lead to arbitrary code execution. In cases where the SSH daemon is running with root privileges, this could result in a complete system compromise.
Any application or service running an SSH server built on the Erlang/OTP SSH library is likely exposed. This includes a range of environments, particularly those relying on Erlang for high-availability systems such as telecommunications equipment, industrial control systems, and connected devices.
“If your application uses Erlang/OTP SSH for remote access, you should assume it is affected,” the researchers stated.
The vulnerability is caused by the way the SSH server handles certain messages during the initial connection, before authentication takes place. An attacker with network access to the server can exploit this flaw by sending connection protocol messages before the authentication step, slipping past normal checks and triggering remote code execution.
According to the advisory, the flaw could allow unauthorised users to gain the same privileges as the SSH daemon. This means if the daemon is running as root, the attacker would have unrestricted access.
The official advisory is available on Erlang’s GitHub security page. For those unable to upgrade immediately, firewall rules should be used to block access to the SSH server from untrusted sources.
This flaw is particularly serious not just because of how it works, but where it lives. Erlang/OTP is quietly embedded in many production systems, often overlooked in routine audits. That makes widespread exposure a real concern.
When a widely used library like Erlang/OTP is affected, the impact can quickly spread. CVE-2025-32433 is a clear example, especially for systems that depend on remote access and automation. Therefore, administrators and vendors are urged to assess their systems, verify if Erlang/OTP SSH is in use, and patch or isolate as soon as possible.
Mayuresh Dani, Manager of Security Research at Qualys, described the flaw as “extremely critical.”
“Due to improper handling of pre-authentication SSH protocol messages, a remote threat actor can bypass security checks to execute code on a system. If the SSH daemon runs with root privileges, which is common in many deployments, the threat actor will gain complete control,” Dani said.
He added that Erlang is frequently used in high-availability systems due to its reliable support for concurrent processing. “Many Cisco and Ericsson devices run Erlang. Any service using the Erlang/OTP SSH library for remote access, such as those in OT or IoT setups, is at risk.”
Dani recommends updating to the latest patched versions of Erlang/OTP. These include OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. For organisations that need more time to implement upgrades, he advises limiting SSH port access to trusted IPs only.
HackRead
