Security researchers at Ruhr University Bochum discovered a security vulnerability in the Erlang/Open Telecom Platform (OTP) SSH implementation. Tracked as CVE-2025-32433, the vulnerability has a critical severity rating with a CVSS score of 10. Successful exploitation of the vulnerability may allow an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication.
Erlang/OTP is a powerful programming language and runtime system for building scalable and fault-tolerant systems, especially those with concurrency and distribution requirements. OTP (Open Telecom Platform) is a collection of libraries, tools, and design principles that build upon the Erlang language to provide a robust framework for developing such applications.
A quick search revealed more than 2,039,000 publicly available targets on Fofa at the time of writing.
Vulnerability Details
An attacker may exploit the vulnerability to execute arbitrary code in the context of the SSH daemon. If the SSH daemon is running as root, the attacker can access the user’s device fully. Consequently, this vulnerability may lead to a complete compromise of hosts, allowing for unauthorized access to and manipulation of sensitive data by third parties or denial-of-service attacks.
Affected Versions
- Erlang SSH server versions before 4.15.3.12
- Erlang SSH server versions before 5.1.4.8
- Erlang SSH server versions before 5.2.10
Mitigation
Customers must upgrade to the following versions to patch the vulnerability:
- Erlang SSH server version 4.15.3.12
- Erlang SSH server version 5.1.4.8
- Erlang SSH server version 5.2.10
For more information, please refer to the Erlang SSH Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QIDs 38980 and 383129 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.openwall.com/lists/oss-security/2025/04/16/2
https://www.erlang.org/doc/apps/ssh/notes.html#ssh-5-2-10
