CISA Issues Alert on Erlang/OTP SSH Server RCE Vulnerability Under Active Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical vulnerability in Erlang/OTP SSH server implementations that allows attackers to execute arbitrary commands without authentication.

The vulnerability, designated as CVE-2025-32433, has been added to CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild and posing significant risks to organizations worldwide.

The newly identified vulnerability represents a missing authentication for critical function flaw within the Erlang/OTP SSH server component.

This security weakness, classified under CWE-306, enables malicious actors to bypass authentication mechanisms entirely, potentially achieving unauthenticated remote code execution (RCE) on vulnerable systems.

The vulnerability stems from improper handling of SSH protocol messages within the Erlang/OTP implementation.

Attackers can exploit this flaw to execute arbitrary commands on affected systems without providing valid credentials, effectively circumventing standard security controls.

The authentication bypass occurs at a fundamental level in the SSH server message processing logic, making it particularly dangerous as it affects the core security model of SSH communications.

Technical analysis reveals that the vulnerability allows attackers to manipulate SSH protocol message flows in ways that the server interprets as authenticated sessions.

This exploitation method does not require sophisticated techniques or prior system access, making it an attractive target for both opportunistic attackers and advanced persistent threat groups.

RCE Vulnerability

The impact of CVE-2025-32433 extends far beyond standalone Erlang installations, as numerous enterprise-grade products incorporate Erlang/OTP SSH server functionality.

Major technology vendors including Cisco, NetApp, and SUSE have products that potentially contain the vulnerable component, though the full scope of affected systems continues to be assessed.

Organizations utilizing network infrastructure equipment, storage systems, and enterprise software platforms that implement Erlang/OTP SSH servers face immediate exposure to this vulnerability.

The widespread adoption of Erlang in telecommunications, distributed systems, and cloud infrastructure means that the potential attack surface is considerable, spanning multiple industry sectors.

The vulnerability’s inclusion in CISA’s KEV catalog indicates that threat actors are already leveraging this weakness in active attack campaigns.

While the connection to ransomware operations remains unknown, the capability for unauthenticated remote code execution makes it an attractive vector for initial access operations, lateral movement, and system compromise.

Enterprise environments are particularly vulnerable given the common deployment of SSH servers for remote administration, automated processes, and system integration.

The authentication bypass nature of the vulnerability means that traditional monitoring for failed login attempts may not detect successful exploitation attempts.

CISA has issued clear guidance for organizations to address this critical vulnerability immediately.

The primary recommendation involves applying mitigations per vendor instructions as soon as patches or workarounds become available from affected product manufacturers.

For organizations utilizing cloud services that may incorporate vulnerable Erlang/OTP SSH implementations, administrators should follow applicable Binding Operational Directive (BOD) 22-01 guidance.

This directive provides specific requirements for federal agencies and recommended practices for private sector organizations regarding vulnerability management in cloud environments.

In cases where vendor mitigations are unavailable or cannot be immediately implemented, CISA recommends discontinuing use of affected products until proper security measures can be deployed.

Network defenders should prioritize identification of systems running Erlang/OTP SSH servers within their environments and implement additional monitoring and access controls as interim protective measures.

Organizations should integrate this vulnerability into their existing vulnerability management prioritization frameworks, treating it as a critical-severity issue requiring immediate attention given its active exploitation status.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.