CVE-2025-32433 – The Erlang/OTP SSH Vulnerability You Can’t Ignore
Imagine an attacker gaining complete network control in minutes, encrypting your data, and disrupting operations—all because of a single unpatched SSH service.
It all began with a report from Bleeping Computer about a critical SSH vulnerability in Erlang/OTP, tracked as CVE-2025-32433. This vulnerability allows attackers to bypass authentication and execute arbitrary commands on unpatched systems. Initially, I thought it was just another CVE among many. However, after researching, I realised the situation was more serious. This vulnerability received a CVSS score of 10, indicating its severity. Public exploits have been made available, and the NCSC is aware of published proof-of-concept (PoC) exploits. As vendors confirmed the impacts, it became clear that attackers would start scanning for vulnerable targets. These threat actors could exploit this vulnerability to deploy malware, encrypt data, or disrupt operations.
CVE-2025-32433 isn’t just another threat; it’s a live threat capable of remote code execution, putting countless organisations at risk.
The Threat Landscape
This threat enables remote attackers to run arbitrary code through compromised SSH services. Because SSH is often the first barrier to protecting critical systems, a breach could lead to total compromise—data theft, operational disruption, and reputational damage.
Who’s in the crosshairs?
- Organisations using Erlang/OTP.
- Vendors who rely on Erlang/OTP SSH modules.
- Devices with embedded SSH services based on Erlang code (e.g., network hardware, telecom platforms).
Immediate Actions Recommended
CERT NZ recommends immediate patching as the primary response. However, if you can’t patch immediately, there is a temporary workaround: configure your firewall to block SSH access from untrusted networks until patches are applied.
Firewall Configuration as a Temporary Shield
Setting firewall rules to restrict SSH can mitigate exposure. Specifically, ensure SSH ports (usually 22) are only accessible from trusted IP ranges. Deny all other incoming SSH traffic. It’s not a permanent fix, but it buys you time.
How ManageEngine Can Help
Endpoint Central and Patch Manager Plus: Quickly scan for affected systems, deploy patches remotely, and confirm patch compliance.
Firewall Analyser: Implement firewall rule updates across your network in minutes. Use it to:
- Identify exposed SSH services.
- Push rule changes to restrict SSH access.
- Monitor for policy violations in real-time.
Stay Ahead, Stay Secure
The exploits are currently active, and any delay could lead to disaster. With ManageEngine’s unified patching and firewall management tools, you can secure your infrastructure more quickly than attackers can exploit vulnerabilities. If your organisation doesn’t have a security action plan or needs assistance setting up emergency patches or tightening your firewall rules, don’t hesitate to contact our team today to protect your environment.
For more information, contact us here or visit us here.