Public exploits already available for a severity 10 Erlang SSH vulnerability; patch now – Source: www.csoonline.com

Experts are urging enterprises to immediately patch an Erlang/OTP Secure Shell (SSH) vulnerability that allows unauthenticated attackers to gain full access to a device. The remote code execution (RCE) vulnerability (CVE-2025-32433) has a CVSS score of 10, the highest possible severity level.

Many impacted devices are widely used in Internet of Things (IoT) and telecom platforms, so the vulnerability could have wide-reaching impacts. The issue was discovered on April 16, and researchers have already been able to quickly and easily create exploits of the vulnerability.

“Anytime you see the phrase ‘remote code execution,’ it usually means a bad day, but remote code execution on a key service that’s used on telecommunications carrier equipment like network switches is seriously bad news,” said David Shipley, CEO of Beauceron Security. “You don’t see these 10s very often: unauthenticated full code execution on critical infrastructure.”

Attackers can take full control of devices

The Erlang/OTP platform is widely used in telecommunications, IoT, and other distributed apps. It is essentially the “backbone of the internet,” Andres Ramos of Arctic Wolf wrote in a blog post. According to Cisco, 90% of internet traffic goes through Erlang-controlled nodes.

The one-time password (OTP) Secure Shell (SSH) is meant to establish secure connections on the control plane that manages industrial control systems (ICS) and operational technology (OT) devices including routers, switches, and smart sensors.

If the SSH daemon is running with elevated privileges, such as root, or superuser, or admin privileges, and threat actors take over the affected device, this could lead to a complete system compromise, Ramos wrote. That could lead to manipulation of resources by third parties, unauthorized access to sensitive data, or denial-of-service (DoS) attacks that shut down access to a network.

“With the right kind of code, any internet facing server that has this on it could potentially be exploited; threat actors could take full control of that device,” Shipley explained. Once they land in a network, attackers can then go anywhere the equipment is allowed to access, based on network configuration and firewalls, and can look for other unpatched devices to do even more damage, he said. 

Arctic Wolf identified a number of impacted applications, including those from Ericsson, Cisco, National Instruments, Broadcom, EMQ Technologies, Apache Software Foundation, Riak Technologies, and Very Technology.

Affected versions of Erlang/OTP SSH include Erlang/OTP-27.3.2 and earlier, Erlang/OTP-26.2.5.10 and earlier and Erlang/OTP-25.3.2.19 and earlier. Customers should update them immediately. For those enterprises unable to immediately upgrade, Arctic Wolf recommends disabling the SSH server or restricting access via firewall rules.

‘Surprisingly easy’ to recreate

Researchers at the Ruhr University Bochum in Germany initially disclosed the vulnerability, explaining that it was due to a flaw in the SSH protocol message handling which allows attackers to send protocol messages before authentication.

“If your application uses Erlang/OTP SSH to provide remote access, assume you are affected,” the researchers warned.

Threat actors can be incredibly active in the brief window between the time a vulnerability is discovered and when a patch is released and applied. This makes it all the more important for security teams to act quickly, experts advised.

Case in point: Not long after the news of the Erlang/OTP SSH issue broke, security researchers from the Horizon3 Attack Team reproduced the flaw and put together a quick proof of concept (PoC) exploit, finding it “surprisingly easy.”

“Wouldn’t be shocked if public PoCs start dropping soon,” they wrote on X. “If you’re tracking this, now’s the time to take action.”

PoC exploits have indeed since been published on GitHub and elsewhere.

Particularly in telecom, there’s a “huge issue” with nation-state hacking, Shipley pointed out. We’ve seen recently how attackers can take over a whole telecom network; the Chinese group Salt Typhoon, for one, successfully infiltrated and gained access to multiple US telecom networks.

Enterprises shouldn’t look at this through a short-term mitigation lens, Shipley emphasized. “This isn’t just ‘There’s an update, patch your PC, reboot it. This takes careful risk and management analysis.”

He also pointed out that the discovery underscores the importance of the Common Vulnerabilities and Exposures (CVE) program, which was in danger of losing its funding from the US government last week (it was extended at the last minute).

“Add to that that it’s happening over a holiday long weekend, and I’m sure there are lots of IT and OT teams having a not so fun start to the week,” said Shipley.