CVE-2025-32433Erlang/OTP SSH RCE

Critical no-authentication SSH remote code execution vulnerability in Erlang/OTP affecting telecommunications infrastructure worldwide. CVSS Score: 9.8 - Immediate patching required.

🚨 EMERGENCY SECURITY ADVISORY

This vulnerability allows attackers to execute arbitrary code on affected Erlang/OTP SSH servers without authentication. Telecommunications infrastructure using Erlang-based systems are at immediate risk. Patch immediately or disable SSH services.

Immediate Mitigation Technical Analysis

Severity

CVSS Score:

9.8 Critical

Authentication:

None Required

Network Access:

Remote

Impact:

Complete

Affected Systems

• Erlang/OTP versions 24.0 - 27.1

• SSH server implementations

• Telecom core network elements

• Network management systems

• OSS/BSS platforms

Timeline

Discovered: Jan 15, 2025

Disclosed: Jan 30, 2025

Patch Available: Jan 30, 2025

Exploit Public: Jan 30, 2025

Telecom Impact

• Core network compromise

• Service disruption

• Data exfiltration risk

• Lateral movement

• Regulatory violations

Vulnerability Description

CVE-2025-32433 is a critical remote code execution vulnerability in Erlang/OTP's SSH server implementation. The flaw exists in the SSH message handling mechanism, allowing attackers to send specially crafted SSH messages that trigger a buffer overflow condition.

The vulnerability requires no authentication and can be exploited remotely over the network. Successful exploitation allows attackers to execute arbitrary code with the privileges of the SSH server process, potentially leading to complete system compromise.

AI-Generated Exploits

Security researchers have demonstrated that AI tools can automatically generate working exploits for this vulnerability within minutes, significantly lowering the barrier to entry for attackers.

Root Cause Analysis

Technical Root Cause

• Insufficient input validation in SSH message parser
• Buffer overflow in message length handling
• Missing bounds checking on packet data
• Improper memory management in SSH subsystem

Attack Vector

• Network-accessible SSH service (port 22)
• Malformed SSH protocol messages
• No authentication required
• Exploitable during connection handshake

Additional Resources

Official Advisory

Official CVE-2025-32433 security advisory from Erlang/OTP team

View Advisory

Patches & Updates

Download official patches and security updates for Erlang/OTP

Download Patches

Community Discussion

Join the security community discussion about CVE-2025-32433

Join Discussion