A critical security flaw, tracked as CVE-2025-32433 and rated with a CVSS score of 10.0, has been found in the SSH implementation of the Erlang/Open Telecom Platform (OTP). This vulnerability could allow an unauthenticated attacker to run arbitrary code, but only under specific conditions.
Erlang/Open Telecom Platform (OTP) is a set of libraries and tools based on the Erlang programming language. It is designed for building scalable, fault-tolerant, and distributed systems, particularly in telecom, messaging, and real-time applications.
Technical Details
Before diving into how this vulnerability can be exploited, it’s essential to understand where it comes from. The root of the issue lies in the improper handling of SSH protocol messages. SSH strictly enforces authentication in a secure setup before allowing any channel-related actions. However, this vulnerability allows attackers to bypass that requirement.
As a result, attackers can send specific protocol messages before authentication is complete, allowing them to execute arbitrary code on the server. If the SSH daemon runs with root privileges, this flaw could let an attacker access or modify sensitive data or even crash the system, leading to a complete Denial of Service (DoS).
To exploit the vulnerability, the attacker must first send a key exchange initialization message with valid algorithms to avoid detection of malicious activities. This can be done by sending a specially crafted SSH_MSG_KEXINIT packet with the list of appropriate algorithms. The attacker then sends an SSH_MSG_CHANNEL_OPEN packet, which attempts to start an SSH session before authentication, and the server accepts the message without verifying the user due to improper handling.
Once authentication is successfully bypassed, an SSH_MSG_CHANNEL_REQUEST packet is constructed with a malicious payload to write and execute remote code. Depending on the conditions and the code that is executed by the attacker, this exploitation might result in Denial of Service (DoS).
To confirm successful exploitation, the attacker can check for the presence of the file that he created to execute remote code using the SSH_MSG_CHANNEL_REQUEST packet.
Impact
The impact of this vulnerability is severe. Depending on how it’s exploited, it can even lead to a Denial of Service (DoS). Its critical nature makes it especially dangerous, as it could allow an attacker to install ransomware, steal sensitive data, or carry out other malicious activities.
Products Affected
The vulnerability impacts all Erlang/OTP versions OTP-27.3.2, OTP-26.2.5.10, OTP-25.3.2.19 or earlier.
Solution and Mitigation
Update Erlang/OTP to versions OTP-25.3.2.20, OTP-26.2.5.11, OTP-27.3.3 or above.
Workaround
If updating to a secure version is not an option, it is recommended that you disable the SSH server or prevent access via firewall rules.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
