Critical vulnerability in Erlang/OTP SSH library opens the way for unauthorized code execution CVE-2025-32433

A research group from Ruhr University has announced a critical vulnerability CVE-2025-32433 in the Erlang/OTP SSH implementation, which has the highest CVSS rating of 10.0. An attacker can execute commands on the server without any authentication.

The vulnerability lies in the incorrect processing of SSH messages during connection establishment. An attacker can send specially crafted messages even before the authentication stage and execute code with the privileges of the SSH server.

• CVE-2025-32433 is especially dangerous in cases where the SSH daemon runs as the root user. In this case, the attacker gains full control over the system, including accessing files, manipulating data, installing malware or organizing DoS attacks.
• This vulnerability affects everyone who uses the Erlang/OTP SSH server. It is recommended to immediately update to OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20. A temporary measure may be to restrict access to the SSH port using firewalls.

Erlang/OTP is a programming language and platform that is actively used in high-availability infrastructure, in particular in Cisco, Ericsson equipment, as well as in IoT and edge systems. These services often use SSH for remote administration. When the SSH library becomes vulnerable, not just one application is at risk, but the entire remote administration system.

CVE-2025-32433 is a potential threat to systems that use Erlang/OTP. A vulnerability with a rating of 10.0 means that every day without an update is an open door for attackers. Organizations should not only update libraries, but also review the permissions with which SSH processes are run and restrict external access.