Attackers are now actively exploiting a critical flaw in Erlang/OTP’s SSH implementation (CVE-2025-32433), with most activity targeting operational technology (OT) environments. The flaw, which enables arbitrary code execution in the context of the SSH daemon, can provide attackers with full host access, potentially exposing and compromising sensitive systems.
While CISA added the issue to its Known Exploited Vulnerabilities catalog in June, real-world exploitation has now been confirmed by Palo Alto Networks. The company reports a surge in malicious activity between May 1-9, with 70% of observed attempts aimed at OT networks and most detections occurring in the United States. Unpatched instances of Erlang/OTP remain vulnerable, and the only effective mitigation is upgrading to the patched releases.
Background on the Vulnerability
Erlang/OTP is a programming platform widely used for building distributed, fault-tolerant applications. Its SSH implementation provides secure remote access and administrative functions across a range of systems. In April 2025, security researchers disclosed CVE-2025-32433, a flaw in the SSH daemon that allows arbitrary code execution.
The vulnerability can be triggered by sending specially crafted input to the SSH service, enabling an attacker to execute commands with the same privileges as the daemon process. This level of access can serve as an initial foothold for deeper compromise of connected systems.
Scope and Severity
The flaw affects multiple versions of Erlang/OTP prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Any system running an impacted version with the SSH service exposed to untrusted networks is at risk.
For OT environments, the danger is significant. A successful exploit could enable full host compromise, theft of sensitive operational data, or disruption of essential services. In sectors where uptime and safety are critical, such disruptions can have cascading effects on production, supply chains, and public safety.
“This vulnerability, if exploited, could have severe consequences on the organization, their network, and operations,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck.“The attacker would have full control over the system, which can result in a compromise of sensitive information and allow them to compromise additional hosts within the network. It would also allow an attacker to disrupt the operations of any connected systems. This is additionally concerning for any critical infrastructure as the disruption could negatively impact large portions of the population. Addressing this vulnerability should be a top priority for any security team responsible for an OT network.”
Timeline of Events
Researchers disclosed the vulnerability in April 2025, and maintainers quickly released patches for supported Erlang/OTP versions. On June 9, CISA added CVE-2025-32433 to its Known Exploited Vulnerabilities catalog, advising all affected organizations to apply updates without delay.
By early May, Palo Alto Networks observed a marked increase in exploitation attempts. Between May 1 and May 9, the company recorded a surge in malicious activity targeting systems with exposed SSH services.
Attack Trends and Targeting
Analysis of observed exploitation attempts revealed that 70% were directed at OT networks, with most originating from actors focused on U.S.-based targets. The concentration on critical infrastructure suggests attackers may be seeking to disrupt essential services or gain leverage over strategically important sectors.
“The real danger with CVE-2025-32433 is that it’s not just an IT vulnerability: it is disproportionately affecting operational technology (OT) networks, and it’s already actively showing up in systems tied to critical infrastructure,” said April Lenhard, Principal Product Manager at Qualys. “Exploitation could alter sensor readings, trigger outages, introduce safety risks, and cause physical damage. By the time breaches are detected, attackers are often already inside the network through other means and simply moving laterally toward OT systems: this means they are exploiting the growing convergence of IT and OT systems to penetrate critical infrastructure across industries.”
Motives could range from state-sponsored disruption to financially motivated ransomware operations. In both cases, the targeting of OT systems indicates a recognition that these environments are often more difficult to secure and patch promptly.
Mitigation and Response
The most effective defense against CVE-2025-32433 is upgrading to one of the patched versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. Organizations should prioritize patching any remote-access systems, especially those exposed to the internet or used in high-impact operational contexts. Delays in applying these updates leave a clear window of opportunity for attackers already scanning for unpatched instances.
For OT environments, additional measures include restricting SSH access to trusted management networks, enforcing multi-factor authentication, and monitoring for anomalous connection patterns that could indicate intrusion attempts. Network segmentation can further contain potential compromises by isolating critical systems from less secure zones. Where immediate patching is not possible, disabling unnecessary services and physically isolating vulnerable hosts can help reduce exposure until updates can be applied.
Wider Security Implications
The active exploitation of CVE-2025-32433 reinforces a growing pattern: OT networks are becoming prime targets for threat actors seeking to disrupt essential services or gain strategic advantage. These environments often have unique operational requirements that can complicate patching, making them attractive to attackers.
The incident also highlights the ongoing challenges in securing remote-access infrastructure. SSH services, while essential for administration, can provide a direct path into critical systems if vulnerabilities remain unpatched or access controls are weak.
For security teams, the key lessons are clear. Vulnerability management must prioritize internet-facing and high-impact assets, with rapid patch deployment when fixes are available. Continuous monitoring for exploitation attempts is equally vital, as adversaries are quick to act once flaws are disclosed.
