Full Report
A critical vulnerability in the Erlang/OTP SSH, tracked as CVE-2025-32433, has been disclosed that allows for unauthenticated remote code execution on vulnerable devices. [...]
Analysis Summary
# Vulnerability: Critical Erlang/OTP SSH Pre-Authentication Remote Code Execution
## CVE Details
- CVE ID: CVE-2025-32433
- CVSS Score: 10.0 (Critical)
- CWE: Not explicitly stated (Likely related to Improper Input Validation or Authentication Bypass)
## Affected Systems
- Products: Erlang/OTP SSH daemon (part of the Erlang/OTP distribution)
- Versions: All versions prior to the patched releases.
- Configurations: Any system running the Erlang/OTP SSH application.
## Vulnerability Description
The vulnerability is a Critical flaw residing within the Erlang/OTP SSH daemon. It stems from the improper handling of certain pre-authentication protocol messages within the SSH application. This flawed handling allows an unauthenticated remote attacker to send connection protocol messages *prior* to the authentication phase, leading directly to Remote Code Execution (RCE). Commands executed via this vulnerability run with the privileges of the SSH daemon, often resulting in execution as **root**.
## Exploitation
- Status: PoC available (demonstrated writing a file as root by Horizon3 Attack Team)
- Complexity: Low (Described as "surprisingly easy" to reproduce)
- Attack Vector: Network
## Impact
- Confidentiality: High/Complete (Potential for full system compromise)
- Integrity: High/Complete (Potential for full system compromise)
- Availability: High/Complete (Potential for full system compromise)
## Remediation
### Patches
Organizations must upgrade to the following fixed versions immediately:
- Erlang/OTP versions **25.3.2.10**
- Erlang/OTP versions **26.2.4**
### Workarounds
For systems where immediate patching is not possible (e.g., industrial or mission-critical devices):
1. Restrict SSH access to only trusted IP addresses.
2. Disable the Erlang/OTP SSH daemon entirely if it is not required for immediate operations.
## Detection
- **Indicators of Compromise (IoCs):** Not explicitly detailed, but successful exploitation would involve unauthorized process execution or file creation/modification by the user running the SSH daemon (often root).
- **Detection Methods and Tools:** Traditional network intrusion detection systems monitoring for unexpected SSH protocol flows or unauthorized connections to port 22 (or custom SSH port) that do not proceed to a standard authentication handshake.
## References
- Vendor Advisories: Refer to the official Erlang/OTP security advisories for CVE-2025-32433.
- Relevant Links:
- hxxps://www.openwall.com/lists/oss-security/2025/04/16/2
- hxxps://x.com/Horizon3Attack/status/1912945580902334793