3 min read
By: RedLegg's Cyber Threat Intelligence Team
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES:
Critical Vulnerability affecting Erlang OTP
CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-32433
Exploit or Proof of Concept (PoC): Yes – https://www.bleepingcomputer.com/news/security/critical-erlang-otp-ssh-pre-auth-rce-is-surprisingly-easy-to-exploit-patch-now/
Update: CVE-2025-32433 – Erlang/OTP Security Advisory
Description: CVE-2025-32433 is a critical vulnerability in the SSH server implementation of Erlang/OTP. The flaw arises from improper handling of SSH protocol messages, allowing attackers to send crafted messages before authentication is completed. This can lead to unauthenticated remote code execution, potentially granting attackers full control over affected systems. The vulnerability affects Erlang/OTP versions prior to 27.3.3, 26.2.5.11, and 25.3.2.20.
Mitigation Recommendation: Administrators are strongly advised to update to the patched versions of Erlang/OTP. If immediate patching is not feasible, it is recommended to disable the SSH server or restrict access via firewall rules to trusted IP addresses.
Note: Given the critical nature of this vulnerability and the availability of public exploits, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.