Description of the Vulnerability (CVE-2025-32433)

In April 2025, a critical remote code execution (RCE) vulnerability was discovered in the Secure Shell (SSH) daemon of Erlang’s Open Telecom Platform (OTP). Tracked as CVE-2025-32433, this flaw received a CVSS score of 10.0, indicating maximum severity.

The vulnerability stems from improper handling of SSH protocol messages. Specifically, the SSH daemon fails to enforce authentication before processing certain messages (e.g., SSH_MSG_CHANNEL_OPEN and SSH_MSG_CHANNEL_REQUEST). This allows unauthenticated attackers to send specially crafted messages and execute arbitrary code on the host system, potentially gaining full control over the device.

Systems using Erlang/OTP’s native SSH implementation for remote access are particularly vulnerable, especially in OT and 5G environments, where fault tolerance and high availability are critical.

Discovery and Disclosure

The vulnerability was discovered by security researchers from Ruhr University Bochum in Germany. They employed state machine learning techniques to analyze the SSH protocol handling in Erlang/OTP, leading to the identification of the flaw.

Following the disclosure on April 16, 2025, proof-of-concept (PoC) exploits were released within 24 hours, accelerating the risk of real-world exploitation.

Industrial Plants and Sectors Compromised

While specific plant names have not been publicly disclosed, the exploitation attempts have targeted critical infrastructure sectors across multiple countries. According to Palo Alto Networks’ Unit 42, the most affected industries include:

• Healthcare
• Agriculture
• Media and Entertainment
• High Technology

Geographically, the attacks were concentrated in Japan, the United States, Brazil, Ireland, the Netherlands, and Ecuador, with some regions reporting 100% of detected attacks targeting OT environments.

Impact on Industrial Plants

The exploitation of CVE-2025-32433 has had serious implications for industrial operations:

• Unauthorized Remote Access: Attackers used reverse shells to gain persistent access to OT networks.
• Process Disruption: Infected systems controlling robotics, pumps, valves, and safety systems were compromised, potentially leading to downtime or physical hazards.
• Data Manipulation and Theft: Sensitive operational data was exposed, with risks of data exfiltration and manipulation of sensor readings.
• Increased Attack Surface: The vulnerability was exploited via industrial-specific ports like TCP 2222, commonly used in older automation products, bridging IT and OT systems and expanding the threat landscape.

Remediation and Mitigation

Yes, remediation is available. The vulnerability has been patched in the following Erlang/OTP versions:

• OTP-27.3.3
• OTP-26.2.5.11
• OTP-25.3.2.20

Organizations using older versions are strongly advised to upgrade immediately. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-32433 to its Known Exploited Vulnerabilities (KEV) catalog on June 9, 2025, emphasizing the urgency of patching.

Security experts also recommend:

• Disabling public exposure of Erlang/OTP SSH services.
• Monitoring for unusual SSH traffic, especially on non-standard ports.
• Implementing intrusion detection systems and network segmentation to isolate OT assets.
• Conducting vulnerability scans to identify and remediate exposed services.

Was it exploited before the discovery?

No, CVE-2025-32433 was not exploited before its discovery by researchers at Ruhr University Bochum. According to multiple cybersecurity sources, including Tenable and BleepingComputer, the vulnerability was disclosed on April 16, 2025, and at the time of disclosure, no known exploitation had been observed.

However, the situation escalated quickly:

• A proof-of-concept (PoC) exploit was released publicly within 24 hours of the disclosure.
• Security researchers, including Horizon3’s Attack Team, confirmed that the vulnerability was “surprisingly easy” to exploit, and they were able to reproduce it shortly after the disclosure.
• This rapid availability of PoC code significantly increased the risk of widespread exploitation, especially in vulnerable OT environments.

So while the vulnerability was responsibly disclosed before any known attacks occurred, the window between disclosure and potential exploitation was extremely short, underscoring the importance of immediate patching and mitigation. Would you like help drafting a security advisory or internal communication to address this risk?

Conclusion

Bad actors do not need to look for new vulnerabilities anymore. Researchers are doing their work for them.