{"id":4363,"date":"2025-08-13T11:18:30","date_gmt":"2025-08-13T11:18:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4363"},"modified":"2025-08-13T11:18:30","modified_gmt":"2025-08-13T11:18:30","slug":"hackers-exploit-unpatched-erlang-otp-to-crack-ot-firewalls","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4363","title":{"rendered":"Hackers exploit unpatched Erlang\/OTP to crack OT firewalls"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A max-severity remote code execution (RCE) issue affecting the SSH daemon (sshd) of Erlang\u2019s Open Telecom Platform (OTP) was exploited by attackers in the wild, days after a patch was issued in April 2025.<\/p>\n<p>According to Unit 42, attackers began exploiting the flaw, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-32433\" target=\"_blank\" rel=\"noopener\">CVE-2025-32433<\/a>, as an N-day vulnerability between May 1 to May 9, 2025, with most activity targeting Operational Technology (OT) firewalls.<\/p>\n<p>Developed by Ericsson, Erlang is a functional, open-source programming language built for scalable, fault-tolerant systems, and its OTP framework delivers concurrency and self-healing features for high-availability environments, including telecommunications, messaging platforms, and industrial control systems.<\/p>\n<p>\u201cOT and 5G environments use Erlang\/OTP due to its fault-tolerance and scalability for high availability systems with minimal downtime,\u201d said Unit42 researchers in a blog post. \u201cDue to compliance and safety requirements, OT and 5G administrators tend to use Erlang\/OTP\u2019s native SSH implementation to remotely manage hosts, which makes CVE-2025-32433 a particular concern in these types of networks.\u201d<\/p>\n<h2 class=\"wp-block-heading\">OT networks in the crosshairs<\/h2>\n<p>Erlang\/OTP has a wider presence in industrial control systems, particularly in embedded appliances, networking gear, and middleware that bridges IT and OT networks.<\/p>\n<p>Unit 42 <a href=\"https:\/\/unit42.paloaltonetworks.com\/erlang-otp-cve-2025-32433\/\" target=\"_blank\" rel=\"noopener\">observed<\/a> that around 70% of exploitation attempts hit OT firewalls, many deployed in sectors such as healthcare, agriculture, media, and high-tech manufacturing. Between April 16 and May 9, 2025, their <a href=\"https:\/\/www.csoonline.com\/article\/569075\/the-10-most-powerful-cybersecurity-companies.html?utm=hybrid_search#:~:text=Palo%20Alto%20Networks:%20Platform%20pioneer%20positioning%20pays%20off\">Cortex<\/a> Xpanse scans detected 275 distinct hosts and 326 vulnerable Erlang\/OTP services exposed to the public internet.<\/p>\n<p>Geographically, the exploitation footprint spanned Japan, the US, the Netherlands, Ireland, Brazil, and Ecuador, with some regions seeing 100% of detected attacks targeting OT environments.<\/p>\n<p>\u201cThe real danger with CVE-2025-32433 is that it\u2019s not just an IT vulnerability: it is disproportionately affecting operational technology (OT) networks, and it\u2019s already actively showing up in systems tied to critical infrastructure,\u201d said April Lenhard, principal product manager at Qualys. \u201cMost known compromises involve OT assets that control physical processes like robotics, pumps, valves, or even safety systems. Exploitation could alter sensor readings, trigger outages, introduce safety risks, and cause physical damage.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Flawed SSH logic led to RCE<\/h2>\n<p>The root of the problem lies in Erlang\/OTP\u2019s SSH daemon improperly processing certain secure shell (SSH) protocol messages, like \u2018SSH_MSG_CHANNEL_OPEN\u2019 and \u2018SSH_MSG_CHANNEL_REQUEST\u2019, before authentication completes. Under normal conditions, such messages should be rejected until after valid credentials are confirmed. Instead, OTP\u2019s SSH server treats them as legitimate, enabling unauthenticated remote code execution.<\/p>\n<p>This oversight in the SSH logic allowed remote attackers to execute arbitrary code without using a password. Threat actors can potentially use the RCE hack for attacks leading to the disclosure of sensitive information, addition or modification of data, and Denial of Service (<a href=\"https:\/\/www.csoonline.com\/article\/4037515\/win-ddos-researchers-unveil-botnet-technique-exploiting-windows-domain-controllers.html\">DoS<\/a>), according to a NetApp <a href=\"https:\/\/security.netapp.com\/advisory\/ntap-20250425-0001\/\">advisory<\/a>.<\/p>\n<p>\u201cThis vulnerability, if exploited, could have severe consequences on the organization, their network, and operations,\u201d said Thomas Richards, Infrastructure Security Practice Director at BlackDuck. \u201cThe attacker would have full control over the system, which can result in a compromise of sensitive information and allow them to compromise additional hosts within the network. It would also allow an attacker to disrupt the operations of any connected systems.\u201d<\/p>\n<p>For critical infrastructure, the stakes are even higher, as disruptions could affect vast segments of the public, he added.<\/p>\n<p>Making matters worse, public proof-of-concept (PoC) code <a href=\"https:\/\/www.csoonline.com\/article\/3966334\/public-exploits-already-available-for-a-severity-10-erlang-ssh-vulnerability-patch-now.html\">appeared<\/a> quickly after disclosure, ensuring that even less-skilled threat actors could weaponize the bug. While the vulnerability affected a subset of Erlang deployments, its impact was magnified in systems where SSH exposure was part of critical services. The vulnerability affected versions prior to fixed upgrades OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A max-severity remote code execution (RCE) issue affecting the SSH daemon (sshd) of Erlang\u2019s Open Telecom Platform (OTP) was exploited by attackers in the wild, days after a patch was issued in April 2025. According to Unit 42, attackers began exploiting the flaw, tracked as CVE-2025-32433, as an N-day vulnerability between May 1 to May [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4364,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4363","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4363"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4363"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4363\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4364"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}