On 16 April 2025, fixes were released for a maximum severity vulnerability in Erlang/OTP SSH, CVE-2025-32433. Erlang/OTP SSH is a library within the Erlang/OTP platform, typically used in telecommunications, messaging, IoT, and distributed applications. CVE-2025-32433 allows unauthenticated remote threat actors to achieve remote code execution (RCE) in the SSH daemon. The issue arises due to a flaw in SSH protocol message handling, which permits the sending of protocol messages before authentication.
If the SSH daemon is running with elevated privileges, such as root, threat actors can gain full control of the affected device, potentially leading to a complete system compromise. This could result in unauthorised access to sensitive data, manipulation of system resources by third parties, or denial-of-service (DoS) attacks. Users running an SSH server based on Erlang/OTP SSH should assume they are affected, especially if it is utilised for remote access.
A day after the initial disclosure, security researchers posted on X that they were able to easily create an exploit for the vulnerability. On the same day, a technical blog was released by Platform Security along with a public proof-of-concept (PoC) exploit on Github, stating that the information gathered from a post on X was enough to recreate the exploit.
Potentially Affected Third-Party Software
Based on publicly-available information, the following applications are known to utilise Erlang OTP, which may suggest that they are vulnerable to CVE-2025-32433. This list is provided on a best effort basis, and is not guaranteed to be complete.
Erlang is widely used in networking equipment that forms the backbone of the internet, and SSH is used to establish secure connections on the control plane managing many of those devices. This supply chain risk extends to industrial control systems (ICS) and operational technology (OT) devices, such as routers, switches, and smart sensors. In 2018, Cisco estimated that 90% of internet traffic transits through Erlang-controlled nodes.
Please note that specific remediation steps will vary depending on the application affected. To minimise operational impact, please review vendor-specific guidance for remediation of this vulnerability and ensure that upgraded Erlang libraries are fully supported within each affected application.
| Company | Products/Projects | Details |
| Ericsson | Various Ericsson products intended for fault-tolerant distributed applications including the AXD301 carrier-grade switch. | Ericsson bundles Erlang versions within multiple products, but has not yet published guidance advising on products affected by CVE-2025-32433.
If your organisation uses Ericsson products in your environment, check with the vendor directly to determine the full scope of affected products. |
| Cisco | Network Services Orchestrator
ConfD |
Cisco bundles Erlang versions within multiple products, but has not yet published guidance advising on products affected by CVE-2025-32433.
See product documentation for additional details, and check with the vendor directly to determine the full scope of affected products. |
| National Instruments | SystemLink Server | Requires separate installation of Erlang OTP. |
| Broadcom | RabbitMQ (Open Source) | Requires separate installation of Erlang OTP.
See the following resources for more details: |
| EMQ Technologies | EQMX (Open Source) | Depends on Erlang OTP 25, but no specific version specified.
See the following resource for more details: https://docs.emqx.com/en/emqx/latest/deploy/install-source.html#dependencies |
| Very Technology | Nerves (Open Source) | Requires separate installation of Erlang OTP. |
| Apache Software Foundation | Apache CouchDB (Open Source) | Requires separate installation of Erlang OTP. |
| Riak Technologies | Riak KV (Open Source) | Requires separate installation of Erlang OTP. |
Recommendations for CVE-2025-32433
Upgrade to Latest Fixed Version
Arctic Wolf recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Erlang OTP |
|
|
Temporary Workaround: For users unable to immediately upgrade to a fixed version, Erlang recommends disabling the SSH server or restricting access using firewall rules.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Monitor Vendor Security Updates
While fixes for Erlang/OTP SSH are now available, the security patch is not automatically applied to software products that use Erlang/OTP SSH. The best method for remediating these vulnerabilities in third-party software products is to apply the official security updates from the vendor of each affected software product.
Arctic Wolf recommends monitoring software vendor advisories for security updates and applying the available security updates promptly.
References
Resources
