SSH Vulnerability in Erlang/OTP Experiences Increase in Exploitation Attempts
In a concerning development, a severe remote code execution (RCE) vulnerability, rated 10.0 on the CVSS scale, is being actively exploited in Erlang's Open Telecom Platform (OTP) Secure Shell daemon (sshd). This vulnerability, identified as CVE-2025-32433, allows unauthenticated attackers to execute commands by sending specific SSH messages before authentication.
The attacker, if successful, would have full control over the system, potentially compromising sensitive information and allowing them to compromise additional hosts within the network. This vulnerability poses a significant threat, particularly to operational technology (OT) networks, as exploitation could disproportionately affect these systems.
Between May 1 and May 9, there was a surge in exploitation attempts, with 70% of detections originating from firewalls protecting OT networks. Education accounted for 72.7% of all detections, indicating a widespread risk across various sectors. Many sectors that rely on Erlang/OTP's native SSH for remote administration are at risk, including healthcare, agriculture, media and entertainment, and high technology.
Researchers recommend organizations to patch immediately, upgrading to OTP 27.3.3, OTP 26.2.5.11 or OTP 25.3.2.20. Vulnerable versions of Erlang/OTP include releases before these versions. Some temporary measures include disabling the SSH server or restricting access via firewall rules.
Thomas Richards, infrastructure security practice director at Black Duck, stated that if exploited, this vulnerability could have severe consequences on an organization's network and operations. He emphasized that addressing the vulnerability should be a top priority for any security team responsible for an OT network.
Erlang/OTP services are found to be widely exposed on the internet, sometimes over industrial ports like TCP 2222, creating a crossover risk between IT and industrial control systems. Attackers are deploying payloads to establish reverse shells for unauthorized access, and some payloads utilize DNS callbacks to track execution without returning results.
The US, Brazil, and France host the highest number of exposed Erlang/OTP services, highlighting the global reach of this vulnerability. However, it's worth noting that many OT-heavy sectors like utilities, mining, and aerospace saw no recorded OT triggers, possibly due to segmentation, delayed targeting, or gaps in detection.
April Lenhard, principal product manager at Qualys, stated that CVE-2025-32433 could alter sensor readings, trigger outages, introduce safety risks, and cause physical damage. The exact origin of the attack on CVE-2025-32433 in Erlang's Open Telecom Platform Secure Shell daemon remains unknown.
In light of these developments, it is crucial for organizations to prioritize patching and take necessary security measures to protect their networks and critical infrastructure from this active threat.
