Public exploits are now available for a critical Erlang/OTP SSH vulnerability tracked as CVE-2025-32433, allowing unauthenticated attackers to remotely execute code on impacted devices.
Researchers at the Ruhr University Bochum in Germany disclosed the flaw on Wednesday, warning that all devices running the daemon were vulnerable.
“The issue is caused by a flaw in the SSH protocol message handling which allows an attacker to send connection protocol messages prior to authentication,” reads a disclosure on the OpenWall vulnerability mailing list.
The flaw was fixed in versions 25.3.2.10 and 26.2.4, but as the paltform is commonly used in telecom infrastructure, databases, and high-availability systems, it may not be easy to update devices immediately.
However, the situation has become more urgent, as multiple cybersecurity researchers have privately created exploits that achieve remote code execution on vulnerable devices.
This includes Peter Girnus of the Zero Day Initiative and researchers from Horizon3, who said the flaw was surprisingly easy to exploit.
Soon after, PoC exploits were published on GitHub by ProDefense, and another was published anonymously on Pastebin, with both quickly shared on social media.
Girnus confirmed to BleepingComputer that ProDefense’s PoC is valid but was not able to successfully exploit Erlang/OTP SSH using the one posted to Pastebin.
Now that public exploits are available, threat actors will soon begin scanning for vulnerable systems and exploiting them.
“SSH is the most commonly used remote access management protocol so I expect this combination to be widespread in critical infrastructure,” Girnus told BleepingComputer.
“It’s a bit concerning especially considering how frequently telcos are targeted by nation state APTs such as Volt and Salt Typhoon for example.”
Girnus refers to the Chinese state-sponsored hacking groups responsible for hacking edge networking equipment and breaching telecommunications providers in the US and worldwide.
According to Shodan query shared by Girnus, there are over 600,000 IP addresses running Erlang/OTP. However, the researcher says the majority of these devices are running CouchDB, which is not impacted by the vulnerability.
An Apache CouchDB representative also confirmed to BleepingComputer that CouchDB does not use the SSH server or client features from Erlang/OTP, so is not vulnerable.
Now that public exploits are available, it is strongly advised that all devices running Erlang OTP SSH be upgraded immediately before threat actors compromise them.
Update 4/21/25: Updated to explain that CouchDB is not vulnerable to this flaw.
