Critical Erlang/OTP SSH RCE bug now has public exploits, patch now

Public exploits are now available for a critical Erlang/OTP SSH vulnerability tracked as CVE-2025-32433, allowing unauthenticated attackers to remotely execute code on impacted devices.

Researchers at the Ruhr University Bochum in Germany disclosed the flaw on Wednesday, warning that all devices running the daemon were vulnerable.

“The issue is caused by a flaw in the SSH protocol message handling which allows an attacker to send connection protocol messages prior to authentication,” reads a disclosure on the OpenWall vulnerability mailing list.

The flaw was fixed in versions 25.3.2.10 and 26.2.4, but as the paltform is commonly used in telecom infrastructure, databases, and high-availability systems, it may not be easy to update devices immediately.

However, the situation has become more urgent, as multiple cybersecurity researchers have privately created exploits that achieve remote code execution on vulnerable devices.

This includes Peter Girnus of the Zero Day Initiative and researchers from Horizon3, who said the flaw was surprisingly easy to exploit.

Soon after, PoC exploits were published on GitHub by ProDefense, and another was published anonymously on Pastebin, with both quickly shared on social media.

Girnus confirmed to BleepingComputer that ProDefense’s PoC is valid but was not able to successfully exploit Erlang/OTP SSH using the one posted to Pastebin.

Now that public exploits are available, threat actors will soon begin scanning for vulnerable systems and exploiting them.

“SSH is the most commonly used remote access management protocol so I expect this combination to be widespread in critical infrastructure,” Girnus told BleepingComputer.

“It’s a bit concerning especially considering how frequently telcos are targeted by nation state APTs such as Volt and Salt Typhoon for example.”

Girnus refers to the Chinese state-sponsored hacking groups responsible for hacking edge networking equipment and breaching telecommunications providers in the US and worldwide.

While it is unclear how many devices are utilizing the Erlang OTP’s SSH daemon, over 600,000 IP addresses are running Erlang/OTP according to a Shodan query shared by Girnus.

“These are mostly CouchDB instances, CouchDB is implemented in Erlang and runs on the Erlang/OTP platform,” the researcher explained in a chat about the public exploits.

Now that public exploits are available, it is strongly advised that all devices running Erlang OTP SSH be upgraded immediately before threat actors compromise them.