Summary
A logic bug in Erlang/OTP’s SSH server allowed certain SSH connection messages to be accepted before authentication completed. Attackers can send crafted preauth packets (e.g., open/channel_request with an exec payload) that the server processes and executes, enabling remote command execution without credentials. Patched OTP releases are available; public PoCs, exploit modules, and active scanning/exploitation were reported soon after disclosure.
Urgent Actions Required
- Patch Erlang/OTP immediately to fixed versions: OTP27.3.3, OTP26.2.5.11, or OTP25.3.2.20.
- Disable the Erlang/OTP SSH server if it is not required.
- Restrict network access to Erlang SSH ports using firewall rules or security groups.
- Apply vendor updates for appliances or software bundling Erlang/OTP (e.g., Cisco, Ericsson).
- Deploy detection measures to monitor pre-auth SSH channel activity or unusual commands executed by Erlang processes.
- Hunt for exploits like unexpected files, shells, or unusual outbound connections.
- Isolate exposed hosts if compromise is suspected and follow incident response procedures.
Which Systems Are Vulnerable to CVE-2025-32433?
Technical Overview
- Vulnerability Type: Logic flaw in SSH message handling that permits execution of commands before authentication (preauth RCE).
- Affected Software/Versions:
- All releases prior to OTP27.3.3 (i.e., OTP 27 branch < 27.3.3)
- All releases prior to OTP26.2.5.11 (i.e., OTP 26 branch < 26.2.5.11)
- All releases prior to OTP25.3.2.20 (i.e., OTP 25 branch < 25.3.2.20)
- CVSS Score: 10.0
- CVSS Vector: CVSS:3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
How Does the CVE-2025-32433 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-32433?
Vulnerability Root Cause:
A logic bug in Erlang/OTP’s SSH lets the server accept channel_open/channel_request messages before login, so an attacker can send preauth commands that the server executes (e.g., via os:cmd) without credentials.
How Can You Mitigate CVE-2025-32433?
If immediate patching is delayed or not possible:
- Block network access to vulnerable Erlang SSH servers if patching is not possible.
- Disable the SSH server on systems where it is not required.
- Restrict access to trusted management networks or VPNs.
- Apply vendor-specific updates and downstream fixes where available.
- Monitor for pre-auth SSH channel activity and suspicious Erlang process commands.
- Increase logging to detect SSH messages sent before authentication.
- Investigate and isolate any exposed or vulnerable hosts.
- Test mitigations only in controlled lab environments.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- Erlang/OTP SSH servers below OTP 27.3.3, 26.2.5.11, or 25.3.2.20.
- Devices and software using Erlang/OTP SSH, including telecom, IoT, and cloud systems.
- Message brokers and backend services using Erlang/OTP SSH (e.g., RabbitMQ, CouchDB, Ejabberd).
Business-Critical Systems at Risk:
- Telecom and network appliances with SSH admin consoles.
- Industrial control and IoT systems relying on Erlang/OTP SSH for remote access.
- Cloud services or distributed applications that enable OTP SSH for maintenance or clustering.
Exposure Level:
- Internet-facing SSH services built on Erlang/OTP.
- Internal systems where OTP SSH is enabled for remote management or debugging.
- OT/5G environments where Erlang/OTP SSH manages critical infrastructure, firewalls, or operational processes.
Will Patching CVE-2025-32433 Cause Downtime?
Patch application impact: Low. Update Erlang/OTP to patched versions; rebuild and restart SSH. Downtime is minimal during maintenance.
Mitigation (if immediate patching is not possible): Limit network access to the Erlang SSH port using firewalls or security groups. This reduces exposure but does not fully prevent attacks. Systems remain at risk until patched.
How Can You Detect CVE-2025-32433 Exploitation?
Exploitation Signatures:
- Preauth SSH channel activity: SSH_MSG_CHANNEL_OPEN or SSH_MSG_CHANNEL_REQUEST observed before successful authentication. (Multiple PoC writeups and IDS rules in PoC repos flag this.)
- Channelrequest payloads in the handshake: Channel requests carrying execstyle commands sent during the preauthentication phase.
- Handshake → immediate exec pattern: Normal SSH banner/kex followed rapidly by a channel request that includes a command.
Indicators of Compromise (IOCs/IOAs):
- Domains seen in payload callbacks: *.dns.outbound.watchtowr[.]com. (Observed in vendor payload analysis.)
- Example IPs reported in telemetry: 146.103.40[.]203, 194.165.16[.]71. (Included in threat vendor writeups.)
- Public PoC repositories and exploit scripts referenced in advisories and research repos (multiple GitHub projects cited in your sources).
Behavioral Indicators:
- Commands executed by Erlang/beam/erl processes with no corresponding SSH authentication log entries.
- Creation of PoCstyle test files or other artifacts immediately after an incoming SSH connection.
- New shell processes or network connections spawned by the Erlang runtime following a preauth channel request.
- Short, repeated SSH sessions that perform channel open/request sequences without authentication (scan / exploit bursts).
Alerting Strategy:
- Priority: Critical
Alert triggers:
- Preauth channel_request detected against an Erlang/OTP SSH endpoint.
- Erlang runtime executes system commands without correlated successful SSH authentication.
- Outbound DNS queries to *.dns.outbound.watchtowr[.]com or outbound connections to the example IPs above originating from Erlang hosts.
- Immediate execstyle payloads sent during SSH handshake (handshake → channel_request with command).
- Discovery of public PoC/exploit scripts on internal systems or repos.
Remediation & Response
Mitigation Steps if No Patch:
- Restrict network access to the vulnerable Erlang/OTP SSH service using firewalls or security groups.
- Disable the Erlang/OTP SSH daemon if it is not required for operations.
- Limit SSH access to a secure management network or VPN to reduce exposure.
- Monitor for unusual SSH connections or commands executed by the Erlang/OTP processes.
Incident Response Considerations:
- Check for evidence of exploitation, such as unexpected files, processes, or system changes made by the Erlang/OTP SSH daemon.
- Investigate unusual network activity targeting SSH on affected hosts.
- Isolate compromised systems to prevent lateral movement within the network.
Compliance & Governance Notes
Standards Impacted:
- CVE-2025-32433 is in CISA’s KEV catalog; action is required.
- Erlang/OTP and vendors (e.g., Cisco, NetApp) advise patching; ignoring may breach security policies.
Audit Trail Requirement:
- Monitor and log pre-auth SSH messages to spot attacks.
- Record patch details: date, engineer, hosts, and OTP version.
- Verify post-patch that pre-auth messages are blocked and no systems remain vulnerable.
Policy Alignment:
- Update vulnerability policy to track KEV-listed flaws and enforce patching.
- Restrict Erlang/OTP SSH exposure to trusted networks only.
- Update incident response plan to detect, isolate, and remediate pre-auth SSH exploits.
Where Can I Find More Information on CVE-2025-32433?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 10.0 | Critical severity; allows unauthenticated remote code execution |
| Attack Vector | Network | Exploitable remotely via SSH without local access |
| Attack Complexity | Low | Exploit does not require special conditions; straightforward RCE |
| Privileges Required | None | No authentication or elevated privileges needed to execute code |
| User Interaction | None | No user action required; exploitation occurs remotely |
| Scope | Changed | Successful exploitation can affect the entire host if SSH runs as root |
| Confidentiality Impact | High | Exploit can disclose sensitive data or system information |
| Integrity Impact | High | Exploit can modify system state or execute arbitrary commands |
| Availability Impact | High | Full system compromise possible; DoS likely during exploitation |
