A critical vulnerability in the Erlang/OTP SSH implementation has been discovered by security researchers, posing a significant risk to systems using this widely deployed library. Tracked as CVE-2025-32433, the flaw allows attackers to execute code on exposed systems without the need for authentication. This vulnerability has received a maximum CVSSv3 score of 10.0 due to its potential impact on affected systems.
The vulnerability was disclosed by researchers at Ruhr University Bochum through the oss-security mailing list. It affects the handling of SSH protocol messages in Erlang/OTP, enabling attackers to send specially crafted messages before authentication occurs. If exploited, this flaw could result in arbitrary code execution, and in cases where the SSH daemon runs with root privileges, it could lead to a complete system compromise.
A wide range of applications and services that utilize an SSH server built on the Erlang/OTP SSH library are potentially affected by this vulnerability. This includes environments that rely on Erlang for high-availability systems such as telecommunications equipment, industrial control systems, and connected devices. Therefore, organizations using Erlang/OTP SSH for remote access should assume that they are at risk, according to the researchers.
The issue stems from how the SSH server processes specific messages during the initial connection phase, allowing attackers with network access to exploit the vulnerability by sending protocol messages before the authentication step. By doing so, attackers can bypass normal security checks and trigger remote code execution, gaining the same privileges as the SSH daemon in the process.
For those unable to upgrade immediately, the official advisory is available on Erlang’s GitHub security page. In the interim, firewall rules can be implemented to block access to the SSH server from untrusted sources. Given the widespread use of Erlang/OTP in production systems, particularly in scenarios where it may be overlooked during routine audits, the vulnerability presents a serious concern.
Mayuresh Dani, Manager of Security Research at Qualys, emphasized the severity of the flaw, describing it as “extremely critical.” He highlighted the risk posed by the improper handling of pre-authentication SSH protocol messages, which can enable remote threat actors to execute code on vulnerable systems. Dani noted that many high-availability systems, including devices from Cisco and Ericsson, rely on Erlang, putting them at risk.
To mitigate the risk, Dani recommends updating to the latest patched versions of Erlang/OTP, such as OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Additionally, organizations that require more time to implement upgrades should restrict SSH port access to trusted IPs only. Overall, administrators and vendors are advised to assess their systems, identify any use of Erlang/OTP SSH, and apply patches or isolation measures promptly to mitigate the impact of CVE-2025-32433.