Critical RCE Vulnerability in Erlang/OTP SSH Server
CVE-2025-32433 could lead to an attacker gaining full control of a device
Summary
CVE-2025-32433 could lead to an attacker gaining full control of a device
Affected platforms
The following platforms are known to be affected:
Threat details
CVE-2025-32433 may affect other products
It is likely other products may be vulnerable to CVE-2025-32433. While fixes for Erlang/OTP SSH are now available, the security update is not automatically applied to software products that use Erlang/OTP SSH. Potential examples include some telecom, network, and Internet-of-things (IoT) devices.
Introduction
Erlang has released updates to its OTP package to address a critical vulnerability in its Secure Shell (SSH) server. Erlang is an open-source programming language. OTP (Open Telecom Platform) is a set of Erlang libraries and middle-ware that can be used to develop applications.
CVE-2025-32433 is a critical vulnerability with a CVSSv3 score of 10.0. If exploited, an unauthenticated attacker could perform remote code execution (RCE), potentially leading to the attacker gaining full control of the device.
Exploitation of CVE-2025-32433
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-32433 to the Known Exploited Vulnerabilities (KEV) catalogue. The NHS England National CSOC assesses further exploitation of this vulnerability as likely.
A proof-of-concept (PoC) exploit has also been released for CVE-2025-32433.
Threat updates
| Date | Update |
|---|---|
| 10 Jun 2025 | CVE-2025-32433 added to CISA KEV |
Remediation advice
Affected organisations are encouraged to review Erlang security advisory GHSA-37cp-fgq5-7wc2 and apply the relevant updates as soon as practicable.
Definitive source of threat updates
Last edited: 10 June 2025 10:46 am