Many devices could be exposed to complete takeover due to a critical vulnerability discovered recently in the Erlang/OTP SSH library.
Erlang/OTP is a collection of libraries, middleware and other tools designed for creating scalable soft real-time systems that require high availability, such as e-commerce, banking, and communications applications.
A team of researchers from Ruhr University Bochum in Germany discovered that Erlang/OTP’s SSH implementation is affected by a critical vulnerability for which they calculated a CVSS score of 10.
Tracked as CVE-2025-32433, the flaw is related to the SSH protocol message handling, which “allows an attacker to send connection protocol messages prior to authentication”.
The researchers said all SSH servers that leverage the Erlang/OTP SSH library are likely to be impacted, and they drew attention to ones used for remote access.
“The vulnerability allows an attacker to execute arbitrary code in the context of the SSH daemon. If your SSH daemon is running as root, the attacker has full access to your device. Consequently, this vulnerability may lead to full compromise of hosts, allowing for unauthorized access to and manipulation of sensitive data by third parties, or denial-of-service attacks,” the researchers explained.
CVE-2025-32433 has been patched with the release of OTP-27.3.3, OTP-26.2.5.11 and OTP-25.3.2.20. As a workaround, users can prevent potential attacks using firewall rules, the researchers said.
Qualys researcher Mayuresh Dani told SecurityWeek that the vulnerability could allow a remote attacker to install ransomware or obtain sensitive data.
“Erlang is frequently found installed on high-availability systems due to its robust and concurrent processing support. A majority of Cisco and Ericsson devices run Erlang. Any service using Erlang/OTP’s SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation,” Dani warned.
Related: GNU C Library Vulnerability Leads to Full Root Access
Related: Critical Vulnerability Found in Apache Roller Blog Server
Related: Vulnerabilities in MongoDB Library Allow RCE on Node.js Servers