Erlang/OTP plays a major role in telecom and distributed systems, enabling easy creation of concurrent, fault-tolerant, and robust systems. Erlang/OTP SSH is the most popular protocol for remote access management, and its compromise represents a significant threat to many users and organizations.
A critical vulnerability in the Erlang/OTP SSH server was discovered by Ruhr University Bochum researchers and disclosed on April 16th, 2025. The disclosure and official advisory revealed that the vulnerability, CVE-2025-32433, can enable attackers to carry out unauthorized remote code execution (RCE) if it remains unpatched. The vulnerability affects all users running the Erlang/OTP SSH server and should be patched immediately.
The Technical Flaw
The vulnerability in the Erlang/OTP SSH server is due to a flaw in the SSH protocol’s message handling, enabling a malicious actor to send connection protocol messages without prior authentication. Multiple proof-of-concept exploits are now public and are said to be “surprisingly easy,” increasing the risk of catastrophic attacks if the flaw goes unpatched.
All users of Erlang/OTP SSH systems should assume the flaw affects them and move to update to the fixed version of the software and mitigate risk immediately. This vulnerability could allow complete system takeover. It is similar to previous issues with protocol parsing, such as the Heartbleed flaw in OpenSSL. When significant and widely used systems are compromised like this, it can cause extensive damage.
Impact and Exploitation Scenarios
The potential of RCE attacks from unauthorized actors presents a significant risk for a wide range of Erlang/OTP SSH users. The vulnerability could allow attackers to completely compromise systems if the SSH daemon runs with elevated privileges, including root, admin, and superuser privileges. This could enable threat actors to exfiltrate or destroy sensitive data, hijack entire systems, and carry out denial-of-service (DoS) attacks.
“Remote code execution (RCE) vulnerabilities require immediate attention from corporate security teams,” says Thomas Richards, Infrastructure Security Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions. This vulnerability “is as severe as it gets since SSH systems are often exposed to the internet for remote access.”
Why This Matters
Erlang/OTP is extremely widely used by organizations across a broad range of sectors and geographic locations, including many high-availability systems like telecom and messaging platforms. “A majority of Cisco and Ericsson devices run Erlang,” according to Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit. “Any service using Erlang/OTP’s SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation.”
The far-reaching presence of Erlang/OTP systems means that the potential impact of this critical vulnerability is extremely high. The type of flaw adds to the risk as well, because protocol-level bugs are often overlooked in favor of application-level bugs that are more likely to cause immediate problems. However, these protocol issues pose a significant danger, exacerbated further due to being underestimated and more obscure.
Response and Mitigation
Erlang moved to mitigate the flaw, and versions 25.3.2.10, 26.2.4, and 27.3.3 contain fixes for the critical vulnerability. However, it may be difficult for many systems to implement these updates, as Erlang/OTP forms the backbone of widespread telecom infrastructure, databases, and high-availability systems. Organizations hoping to patch the vulnerability and protect against the risks associated with it may have to disrupt certain operations in order to implement the necessary updates.
Organizations are encouraged to take steps to reduce the dangers of this flaw by temporarily disabling the SSH daemon to prevent compromise, applying relevant patches as early as possible, and auditing their systems to identify signs of exploitation. If it is discovered that compromise or exploitation occurred, further action may be required to mitigate the potential damage.
A Wake-Up Call for Protocol Hygiene
Security teams and developers should take lessons away from this critical vulnerability. Protocol hygiene is crucial and often overlooked to prioritize application-level security and flaws. A vulnerability like this in such a widely used server should serve to drive home the importance of paying attention to protocol-level flaws. It is crucial to prioritize formal verification procedures and fuzz testing in protocol stacks to find and remediate flaws like this that can cause significant damage. The resurgence of protocol-level attacks is a broader industry trend that organizations, security experts, and software developers must account for.
Conclusion
This Erlang/OTP SSH vulnerability has a CVSS score of 10, the highest score possible for a CVE. The risk of compromise is extreme and can have far-reaching impacts if the vulnerability is not patched in a timely manner and sufficiently mitigated. The Erlang/OTP SSH is a pillar of many large and complex systems, and such a grave vulnerability poses a significant threat to a wide range of organizations and their operations. Proactive remediation and improved SSH hygiene are vital for organizations to protect against flaws like this before they become major security incidents.
