CVE-2025-32433

What is Erlang/OTP?

Erlang is a programming language and runtime designed for building fault-tolerant, distributed, real-time systems. OTP (Open Telecom Platform) is the accompanying standard library. Together, Erlang/OTP powers a wide range of telecommunications infrastructure, messaging systems, and distributed applications. Well-known open-source projects built on Erlang/OTP include Apache CouchDB, Ejabberd (XMPP), and the EMQ MQTT broker. Cisco embeds Erlang/OTP across its ConfD configuration framework and Network Services Orchestrator (NSO), which underpin network automation in carrier-grade and enterprise environments.

Erlang/OTP ships with a built-in SSH server and client library. This library is used by applications that need SSH-based management interfaces — remote shell access, SFTP, or programmatic channel communication. Deployers often leave it running as a convenience for remote administration.

Overview

CVE-2025-32433 is a maximum-severity (CVSS 10.0) authentication bypass in the Erlang/OTP SSH server. The server fails to enforce the SSH protocol's authentication state machine, allowing an unauthenticated attacker to open a session channel and execute arbitrary shell commands before any credentials are checked. Because the SSH daemon often runs as root, exploitation typically yields immediate full system compromise.

The vulnerability was publicly disclosed on April 16, 2025 by researchers at Ruhr University Bochum — the same group responsible for the Terrapin SSH attack (CVE-2023-48795). A working proof-of-concept was released the same day. Active exploitation began within 48 hours of disclosure, and by early May 2025 botnet campaigns were hitting OT networks across Japan, North America, and Europe. CISA added it to the KEV catalog on June 9, 2025.

Affected Versions

Any application that embeds an unpatched Erlang/OTP release and exposes an SSH server is affected, regardless of the application-level product name.

Technical Details

The SSH protocol defines a strict authentication state machine. A client must complete key exchange, then authenticate, before the server processes channel requests. The Erlang/OTP SSH implementation fails to enforce this sequencing — it processes SSH_MSG_CHANNEL_OPEN and SSH_MSG_CHANNEL_REQUEST messages before authentication has completed.

The attack sequence is three steps:

1. Key exchange only — the client sends SSH_MSG_KEXINIT and completes key negotiation. Authentication is skipped entirely.
2. Open a channel — the client sends SSH_MSG_CHANNEL_OPEN for a session channel. The server accepts it without checking whether the client has authenticated.
3. Execute a command — the client sends SSH_MSG_CHANNEL_REQUEST with type exec and an arbitrary shell command. The server executes it.

The result is unauthenticated remote code execution with the privileges of the SSH daemon process — typically root on production systems.

CWE-306 (Missing Authentication for Critical Function): the exec channel request is a critical function that requires an authenticated session. The implementation never validates that the authentication step occurred.

The attack requires no valid credentials, no prior access, no user interaction, and no special conditions beyond network access to the SSH port. It is single-request exploitation once the channel is open.

Discovery

CVE-2025-32433 was discovered and reported by Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and Jörg Schwenk at Ruhr University Bochum, Germany. The team previously discovered the Terrapin attack (CVE-2023-48795), a protocol-level SSH vulnerability affecting most SSH implementations.

Exploitation Context

A public proof-of-concept was released on the same day as the patch (April 16, 2025). Multiple PoC implementations appeared on GitHub within hours, including a Metasploit module, a Python script, and a Go-based remote shell dropper. The zero-day between patch and PoC gave defenders essentially no window.

Campaign timeline observed in the wild:

• April 18, 2025 — Netherlands-based campaign; shell script loader retrieving payloads over HTTPS with anti-forensics measures
• May 3–9, 2025 — Peak activity; coordinated botnet campaigns with 80%+ detections in OT networks, concentrated in Japan
• May 10, 2025 — UK-based campaign (92 attempts); binary dropper leaving campaign markers
• July 22, 2025 — US-based botnet loader campaign; multi-architecture (64-bit and 32-bit) binaries from commercial hosting

Palo Alto Unit 42 confirmed the campaigns and tracked command-and-control infrastructure across multiple hosting providers. Attackers used out-of-band DNS lookups to validate successful execution without needing direct command responses — a technique that evades some detection approaches.

Industry impact: Education (72.7% of detections), healthcare, and high technology sectors saw disproportionate exposure. Japan accounted for 99.74% of OT-correlated detections in the peak window.

Downstream product impact:

• Cisco — ConfD, NSO, Smart PHY, Ultra Cloud Core, ASR 5000/Ultra Packet Core, and NFVIS all affected. Some end-of-life products (Intelligent Node Manager, RV Series Routers, Ultra Services Platform) received no patch.
• CouchDB — Uses Erlang/OTP; potentially affected if the SSH server is exposed.
• RabbitMQ — Not affected. RabbitMQ does not use the Erlang/OTP SSH server or client library.
• NetApp, SUSE, Ericsson, Broadcom — All ship Erlang/OTP in various products; affected where SSH server is enabled.
• Ejabberd, EMQ, Elixir/Phoenix applications — Potentially affected if SSH management interfaces are running.

Remediation

1. Upgrade Erlang/OTP to OTP-25.3.2.20, OTP-26.2.5.11, or OTP-27.3.3 depending on your installed branch. This is the only complete fix.

2. Upgrade downstream products — if you run Cisco ConfD, NSO, or similar products, apply the vendor-specific patch rather than patching OTP directly. See cisco-sa-erlang-otp-ssh-xyZZy for fixed versions by product.

3. Disable the Erlang/OTP SSH server if it is not required. Many applications enable it by default as a management interface but do not operationally depend on it. Check application configuration for {ssh, Port} listener declarations and disable any that are not needed.

4. Firewall SSH ports — restrict inbound access to the Erlang/OTP SSH port (often not 22 — check {ssh, Port} in your application config) to known management hosts only. This does not fix the vulnerability but eliminates internet-facing exposure.

5. Audit for compromise — if your systems were exposed before patching, review SSH daemon logs for unexpected channel open events and process execution from the SSH daemon process. Given the exploitation window opened April 16 and exploitation was observed by April 18, any unpatched and internet-exposed system should be treated as potentially compromised.

6. Check for end-of-life Cisco products — Intelligent Node Manager, RV Series Routers, and Ultra Services Platform will not receive patches. Isolate or decommission.