Dive Brief:
- Security researchers on Monday warned of a critical vulnerability in the Erlang Open Telecom Platform SSH implementation, which could allow an unauthenticated attacker with network access to execute arbitrary code.
- The vulnerability, tracked as CVE-2025-32433, has been assigned a CVSS score of 10. If an SSH daemon is running as root, then an attacker has full access to a device, researchers from Ruhr University Bochum said in a post on Openwall.
- This level of access could allow third parties to manipulate sensitive data or launch denial-of-service attacks.
Dive Insight:
This particular vulnerability is considered very high risk, due to the lack of required authentication needed, the ease of exploitation and the wide use in a variety of platforms, according to researchers at Horizon3.ai.
Users are urged to upgrade to the latest versions. As a temporary workaround, users can disable the SSH server.
Horizon3.ai researchers last Thursday said they were able to quickly reproduce the vulnerability. A detailed proof of concept will not be released until after a patch has been made widely available.
Erlang OTP is commonly found in IoT devices and telecommunications platforms and is used as a debug utility in other services, including CouchDB and RabbitMQ, Horizon3.ai researchers said.
The vulnerability could impact a wide range of devices across various OT systems, and devices from Cisco and Ericsson could be affected, according to researchers from Frenos.
