CVE-2025-32433
Confirmed PUBLISHEDErlang/OTP SSH Vulnerable to Pre-Authentication RCE
1 day faster than CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
- CVE Published
- Apr 16, 2025
- Exploitation Reported
- Jun 01, 2026
- CVSS
- 10.0 Critical
- EPSS
- 97.7%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| erlang |
otp
|
>= OTP-27.0-rc1, < OTP-27.3.3 |
Affected |
| erlang |
otp
|
>= OTP-26.0-rc1, < OTP-26.2.5.11 |
Affected |
| erlang |
otp
|
< OTP-25.3.2.20 |
Affected |
CVE References
- https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2 github.com · CVE Record https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
- https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12 github.com · CVE Record https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66...
- https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f github.com · CVE Record https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209...
- https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891 github.com · CVE Record https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a...
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CVE First | 2026-06-01 10:32 UTC |
| CISA | 2026-06-02 14:07 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb | Jun 09, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-01 13:30:39 UTC · CISA
Proof of concept available
Recorded 2025-04-24 21:14:12 UTC · GitHub
Weaknesses (CWE)
-
Missing Authentication for Critical Function
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb | Jun 09, 2025 |
Recent Mentions
Tenable Blog · Apr 25, 2025
Timely vulnerability remediation is an ongoing challenge for organizations as they struggle to prioritize the exposures that represent the greatest risk to their operations. Existing scoring systems are invaluable but can lack context. Here’s how Tenable’s Vulnerability Watch classification system can help.BackgroundOver the past six years working in Tenable’s research organization, I’ve watched known vulnerabilities and zero-day flaws plague organizations in the immediate aftermath of disclosure or even years afterwards. Following each blog post or threat report we’ve published, I kept coming back to the same question: Why are so many organizations struggling to remediate vulnerabilities in a timely manner?As someone who followed the evolution of COVID-19 variants throughout the beginning of the pandemic, I saw that the World Health Organization (WHO) began to label new variants under a classification system as the virus began to mutate. This classification system was designed to help prioritization efforts for monitoring and research. It included accessible labels like variants of interest and variants of concern to help communicate urgency and focus global attention.I began to wonder: What if we borrowed from the same type of classification system used by the WHO and applied it to vulnerability intelligence? Numeric-based systems like the Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) provide mechanisms for prioritization based on scoring. However, they don’t always provide enough context to help decision makers. So, what if we used simple, clear and status-based terminology to communicate risks surrounding vulnerabilities in order to guide action?This led us to develop Vulnerability Watch, a classification system for vulnerabilities inspired by the WHO’s classification of COVID-19 variants. Vulnerability Watch is a small, but important part of Tenable’s Vulnerability Intelligence offering that was launched in 2024. Now,…
Cisco Security Advisory · Apr 25, 2025
On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device. The vulnerability is due to a flaw in the handling of SSH messages during the authentication phase. For a description of this vulnerability, see the Erlang announcement. This advisory will be updated as additional information becomes available. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy Security Impact Rating: Critical CVE: CVE-2025-32433
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2025-04-27 02:18:55 UTC · 0 stars
CVE-2025-32433 Summary and Attack Overview
github · Created 2025-04-25 15:57:40 UTC · 1 stars
Erlang OTP SSH NSE Discovery Script
github · Created 2025-04-25 15:31:21 UTC · 1 stars
CVE-2025-32433 Erlang/OTP SSH RCE Exploit SSH远程代码执行漏洞EXP
github · Created 2025-04-24 21:14:12 UTC · 0 stars
CVE-2025-32433 https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
github · Created 2025-04-24 13:22:06 UTC · 0 stars
CVE lab to accompany CVE course for CVE-2025-32433
github · Created 2025-04-23 20:12:50 UTC · 0 stars
This Python script exploits the CVE-2025-32433 vulnerability in certain versions of the Erlang SSH daemon.
github · Created 2025-04-19 18:32:34 UTC · 0 stars
Go-based exploit for CVE-2025-32433
github · Created 2025-04-18 21:11:44 UTC · 8 stars
The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication.
github · Created 2025-04-18 15:06:12 UTC · 1 stars
Erlang/OTP SSH 远程代码执行漏洞
github · Created 2025-04-18 10:53:19 UTC · 3 stars
Missing Authentication for Critical Function (CWE-306)-Exploit
github · Created 2025-04-18 10:30:52 UTC · 0 stars
Security research on Erlang/OTP SSH CVE-2025-32433.
github · Created 2025-04-18 09:56:23 UTC · 0 stars
github · Created 2025-04-18 02:32:41 UTC · 1 stars
github · Created 2025-04-18 00:35:11 UTC · 85 stars
CVE-2025-32433 https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
14:07 UTC about 2 months ago14:07 UTC · about 2 months ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
10:32 UTC about 2 months ago10:32 UTC · about 2 months ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
13:36 UTC about 1 year ago13:36 UTC · about 1 year ago
Metasploit module available
Exploit module available
-
21:14 UTC about 1 year ago21:14 UTC · about 1 year ago
Public PoC available
Public proof-of-concept code published
-
21:34 UTC over 1 year ago21:34 UTC · over 1 year ago
CVE published
Vulnerability disclosed publicly
-
10:54 UTC over 1 year ago10:54 UTC · over 1 year ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2025-32433
{
"cve_id": "CVE-2025-32433",
"title": "Erlang/OTP SSH Vulnerable to Pre-Authentication RCE",
"affected_vendor": "erlang",
"affected_product": "otp",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 10.0,
"epss_score": 0.97673,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}