Patch now! Attacks on Erlang/OTP SSH may be imminent
SSH servers with Erlang/OTP SSH can be attacked via a critical vulnerability with a maximum rating. Security patches are available.
(Image: solarseven/Shutterstock.com)
Because exploit code for a “critical” vulnerability in Erlang/OTP SSH is in circulation, attacks could occur in the near future. If attackers successfully exploit the vulnerability, they can compromise systems after executing malicious code.
The Erlang/OTP SSH libraries allow developers to add SSH client and server functionality to applications written in the Erlang programming language for remote access.
Dangerous gap
A warning message indicates that the vulnerability (CVE-2025-32433) is classified with the highest possible CVSS score of 10 out of 10. Attacks should be possible remotely without authentication.
In an article, the discoverers of the vulnerability from Ruhr University Bochum state that all applications that use Erlang/OTP SSH are probably at risk. The security problem lies in the processing of SSH protocol messages. At this point, attackers can send connection protocol messages before authentication.
Videos by heise
This can then lead to DoS states. However, malicious code can also get onto systems. Attackers can then execute the code with the rights of the SSH daemon. If this runs with root rights, the consequences are fatal.
Patch now!
Exploit code is now in circulation that attackers can use to attack computers. So far, there are no reports that attackers have already exploited the vulnerability. However, this could change quickly.
Admins should ensure that one of the secure versions is installed: OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20. If it is not possible to install a patch immediately, SSH access should be restricted via firewall rules.
(des)
