CRITICAL VULNERABILITY ALERT - CVE-2025-32433 - IMMEDIATE ACTION REQUIRED
CRITICAL CVE
CVSS 9.8
NO AUTH REQUIRED
TELECOM IMPACT

CVE-2025-32433Erlang/OTP SSH RCE

Critical no-authentication SSH remote code execution vulnerability in Erlang/OTP affecting telecommunications infrastructure worldwide. CVSS Score: 9.8 - Immediate patching required.

Immediate MitigationTechnical Analysis
Severity
CVSS Score:
9.8 Critical
Authentication:
None Required
Network Access:
Remote
Impact:
Complete
Affected Systems
• Erlang/OTP versions 24.0 - 27.1
• SSH server implementations
• Telecom core network elements
• Network management systems
• OSS/BSS platforms
Timeline
Discovered: Jan 15, 2025
Disclosed: Jan 30, 2025
Patch Available: Jan 30, 2025
Exploit Public: Jan 30, 2025
Telecom Impact
• Core network compromise
• Service disruption
• Data exfiltration risk
• Lateral movement
• Regulatory violations
Vulnerability Description

CVE-2025-32433 is a critical remote code execution vulnerability in Erlang/OTP's SSH server implementation. The flaw exists in the SSH message handling mechanism, allowing attackers to send specially crafted SSH messages that trigger a buffer overflow condition.

The vulnerability requires no authentication and can be exploited remotely over the network. Successful exploitation allows attackers to execute arbitrary code with the privileges of the SSH server process, potentially leading to complete system compromise.

Root Cause Analysis

Technical Root Cause

  • • Insufficient input validation in SSH message parser
  • • Buffer overflow in message length handling
  • • Missing bounds checking on packet data
  • • Improper memory management in SSH subsystem

Attack Vector

  • • Network-accessible SSH service (port 22)
  • • Malformed SSH protocol messages
  • • No authentication required
  • • Exploitable during connection handshake

Further Resources

Official Erlang Security AdvisoryMITRE CVE EntryDownload PoC