A max-severity remote code execution (RCE) issue affecting the SSH daemon (sshd) of Erlang’s Open Telecom Platform (OTP) was exploited by attackers in the wild, days after a patch was issued in April 2025.
According to Unit 42, attackers began exploiting the flaw, tracked as CVE-2025-32433, as an N-day vulnerability between May 1 to May 9, 2025, with most activity targeting Operational Technology (OT) firewalls.
Developed by Ericsson, Erlang is a functional, open-source programming language built for scalable, fault-tolerant systems, and its OTP framework delivers concurrency and self-healing features for high-availability environments, including telecommunications, messaging platforms, and industrial control systems.
“OT and 5G environments use Erlang/OTP due to its fault-tolerance and scalability for high availability systems with minimal downtime,” said Unit42 researchers in a blog post. “Due to compliance and safety requirements, OT and 5G administrators tend to use Erlang/OTP’s native SSH implementation to remotely manage hosts, which makes CVE-2025-32433 a particular concern in these types of networks.”
OT networks in the crosshairs
Erlang/OTP has a wider presence in industrial control systems, particularly in embedded appliances, networking gear, and middleware that bridges IT and OT networks.
Unit 42 observed that around 70% of exploitation attempts hit OT firewalls, many deployed in sectors such as healthcare, agriculture, media, and high-tech manufacturing. Between April 16 and May 9, 2025, their Cortex Xpanse scans detected 275 distinct hosts and 326 vulnerable Erlang/OTP services exposed to the public internet.
Geographically, the exploitation footprint spanned Japan, the US, the Netherlands, Ireland, Brazil, and Ecuador, with some regions seeing 100% of detected attacks targeting OT environments.
“The real danger with CVE-2025-32433 is that it’s not just an IT vulnerability: it is disproportionately affecting operational technology (OT) networks, and it’s already actively showing up in systems tied to critical infrastructure,” said April Lenhard, principal product manager at Qualys. “Most known compromises involve OT assets that control physical processes like robotics, pumps, valves, or even safety systems. Exploitation could alter sensor readings, trigger outages, introduce safety risks, and cause physical damage.”
Flawed SSH logic led to RCE
The root of the problem lies in Erlang/OTP’s SSH daemon improperly processing certain secure shell (SSH) protocol messages, like ‘SSH_MSG_CHANNEL_OPEN’ and ‘SSH_MSG_CHANNEL_REQUEST’, before authentication completes. Under normal conditions, such messages should be rejected until after valid credentials are confirmed. Instead, OTP’s SSH server treats them as legitimate, enabling unauthenticated remote code execution.
This oversight in the SSH logic allowed remote attackers to execute arbitrary code without using a password. Threat actors can potentially use the RCE hack for attacks leading to the disclosure of sensitive information, addition or modification of data, and Denial of Service (DoS), according to a NetApp advisory.
“This vulnerability, if exploited, could have severe consequences on the organization, their network, and operations,” said Thomas Richards, Infrastructure Security Practice Director at BlackDuck. “The attacker would have full control over the system, which can result in a compromise of sensitive information and allow them to compromise additional hosts within the network. It would also allow an attacker to disrupt the operations of any connected systems.”
For critical infrastructure, the stakes are even higher, as disruptions could affect vast segments of the public, he added.
Making matters worse, public proof-of-concept (PoC) code appeared quickly after disclosure, ensuring that even less-skilled threat actors could weaponize the bug. While the vulnerability affected a subset of Erlang deployments, its impact was magnified in systems where SSH exposure was part of critical services. The vulnerability affected versions prior to fixed upgrades OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.
No Responses