CVE-2025-32433, an Unauthenticated Remote Code Execution in Erlang/OTP SSH was announced yesterday. From the description:
A serious vulnerability has been identified in the Erlang/OTP SSH server that may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.
All users running the Erlang/OTP SSH server are impacted by this vulnerability, regardless of the underlying Erlang/OTP version. If your application provides SSH access using the Erlang/OTP SSH library, assume you are affected.
Affected versions Patched versions <= OTP-27.3.2 OTP-27.3.3 <= OTP-26.2.5.10 OTP-26.2.5.11 <= OTP-25.3.2.19 OTP-25.3.2.20On the GitHub security page for Erlang/OTP, the severity is 10/10 critical, meaning if you are running an application that exposes Erlangβs SSH daemon to the public internet, anyone who knows how to exploit this vulnerability can hack into your server. An exploit has been published.
continue reading on paraxial.io
β οΈ This post links to an external website. β οΈ
If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe use the RSS feed.