Imechapishwa: Apr 22, 2025 10:41
Advisory No: TZCERT-SA-25-0088
Source: Erlang/OTP
Software Affected: OTP-27.3.2 and earlier, OTP-26.2.5.10 and earlier and OTP-25.3.2.19 and earlier
A critical vulnerability (CVE-2025-32433) has been identified in the Erlang/OTP SSH server component, permitting unauthenticated remote code execution (RCE). This flaw arises from improper handling of SSH protocol messages, allowing attackers with network access to execute arbitrary code on affected systems without authentication. The vulnerability has received a CVSS score of 10.0 which indicate the maximum severity.
The vulnerability stems from the Erlang/OTP SSH server's failure to enforce protocol rules regarding message handling prior to authentication. Specifically, the server does not properly disconnect when receiving SSH message numbers ≥ 80 before authentication, as mandated by RFC 4252. This oversight enables attackers to send crafted messages during the unauthenticated phase, leading to unauthorized code execution.
An attacker with network access to a vulnerable Erlang/OTP SSH server can exploit this flaw to execute arbitrary code without authentication result in full system compromise, data exfiltration, and/or denial-of-service attacks. If the SSH daemon runs with elevated privileges, the attacker could gain full control over the system.
To mitigate the risk posed by this vulnerability, Users and Administrators are advised to immediately upgrade to the patched Erlang/OTP versions (27.3.3, 26.2.5.11, or 25.3.2.20). If applying upgrade is not feasible right away, you are advised to restrict network access to the Erlang/OTP SSH server using firewall rules and disable the service if it is not in use. Furthermore, organizations are encouraged to adopt long-term security best practices such as enforcing network segmentation, maintaining regular patch management cycles, and conducting periodic vulnerability assessments to minimize exposure and enhance overall system resilience.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
