A severe vulnerability, designated CVE-2025-32433 with a CVSS score of 10.0, has been identified in the Secure Shell (SSH) daemon of the Erlang programming language’s Open Telecom Platform (OTP).
This flaw permits unauthenticated remote code execution (RCE) by allowing attackers to send SSH connection protocol messages with codes greater than or equal to 80 to open SSH ports, which are intended to be processed only after successful authentication.
Affecting Erlang/OTP versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, the vulnerability poses a significant risk to critical infrastructure and operational technology (OT) networks where Erlang/OTP is commonly deployed for its fault-tolerant and scalable properties in concurrent systems.
Widely used in telecommunications, financial systems, and 5G environments, the native SSH implementation in OTP facilitates encrypted connections, file transfers, and command execution, making this improper state enforcement a direct pathway for arbitrary code execution without credentials.
Global scanning data from April 2025 revealed 275 distinct hosts exposing 326 vulnerable Erlang/OTP SSH services on the internet, often on non-standard ports such as TCP 2222, which overlaps with Ethernet/IP implicit messaging in industrial automation, blurring the lines between IT and OT attack surfaces.
Surge in Exploitation Attempts
According to Unit42 report, exploitation attempts targeting CVE-2025-32433 surged between May 1 and May 9, 2025, with telemetry indicating active in-the-wild attacks, including reverse shell payloads that establish unauthorized remote access.
One observed payload leverages file descriptors to create TCP connections bound to interactive shells, while another redirects Bash input/output to remote hosts like 146.103.40.203 on port 6667, often linked to botnet command-and-control.
Further analysis uncovered DNS-based indicators, such as gethostbyname calls to randomized subdomains under dns.outbound.watchtowr.com, indicative of out-of-band application security testing (OAST) for blind RCE validation and data exfiltration.
Geographic distribution shows the United States, Brazil, and France hosting the most exposed services, with exploit signatures triggering 3,376 times globally, of which 70% originated from OT network firewalls.
Countries like Japan (99.74% OT correlation), the U.S. (71.15%), and others including the Netherlands and Brazil exhibited high OT impact, reflecting digitally mature industrial sectors with integrated IT/OT environments.
Industry-wise, healthcare, agriculture, media and entertainment, high technology, and education faced disproportionate attacks, with education accounting for 72.7% of total triggers and 88.4% in OT contexts.
Temporal trends reveal bursty activity, peaking on May 3, 6, 8, and 9, where OT triggers often exceeded 80% of detections, suggesting targeted campaigns exploiting weak segmentation and exposed ICS devices.
Broader Implications
To mitigate CVE-2025-32433, organizations should urgently upgrade to patched Erlang/OTP versions: OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20, or later. As interim measures, disable the SSH server or implement firewall restrictions to trusted sources.
This vulnerability exemplifies the escalating risks from IT/OT convergence, where software flaws in general-purpose tools like Erlang/OTP can pivot into operational threats across non-traditional sectors, highlighting the need for enhanced visibility, intrusion prevention updates, and monitoring for compromise indicators.
The absence of detections in utilities, energy, mining, and defense sectors may indicate gaps in telemetry rather than immunity, urging a reevaluation of attack surfaces.
Active exploitation underscores the strategic shift by adversaries toward OT infiltration, potentially via lateral movement from compromised enterprise devices, emphasizing integrated defenses to protect critical infrastructure.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| dns.outbound.watchtowr.com | Domain | Used in DNS lookups for OAST and blind RCE validation in exploit payloads |
| 194.165.16.71 | IP Address | Associated with threat infrastructure in exploitation attempts |
| 146.103.40.203 | IP Address | Remote host for reverse shell redirects, linked to botnet communications |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
