- Security researchers find a 10/10 defect in ERlang/OTP SSH
- Horizon3’s attack team says that the fault is “surprisingly easy” to explode
- There is an available patch, so users must now update
ERLANG/OTP SSH, a set of libraries for Erlang’s programming language, entails a maximum severity vulnerability that allows the execution of remote code and is “surprisingly easy” to exploit, researchers warn.
A team of cybersecurity researchers from the University of Ruhr Bochum (Germany) recently discovered inappropriate management of protocol messages prior to authority, which affects all versions of ERlang/OTP SSH. They are traced as CVE-2025-32433 and entails a gravity score of 10/10 (critic).
ERLANG/OTP SSH is a module within the ERLANG/OTP standard library that provides support to implement clients and secure shell (SSH) customers in ERLANG applications.
Remote code execution
Erlang is a functional programming language and an execution time system designed to build highly concurrent, distributed and fault tolerant systems. It was originally developed by Ericsson, for use in telecommunications, but it has expanded to messaging systems, databases and other applications where activity time and scalability are critical.
“The problem is caused by a failure in the management of SSH protocol messages that allows an attacker to send connection protocol messages before authentication,” a warning is read in the open municipal vulnerability mail list.
Shortly after the news appeared, the security researchers of the Horizon3 attack team tried to reproduce the failure and found that it was “surprisingly easy”, which should be a reason for concern.
“I just finished reproducing CVE-2025-32433 and organize a quick, surprisingly easy exploit,” said the team in X. “It would not be surprised if the few audiences begin to fall soon. If you are tracking this, now it is time to take measures.”
Taking measures would mean applying the patch that is now available and mitigates the risk. Since all previous versions are vulnerable, all users are advised to update versions 25.3.2.10 and 26.2.4.
Threat actors are more active in the short window between a patch that is launched and users apply. Most organizations are not so diligent when it comes to patching, giving cybercriminals a relatively easy exploitation avenue.
Through Bleepingcomputer
