· Vulnerability  · 2 min read

Erlang OTP SSH Exploits Target OT Firewalls

Discover the surge in Erlang/OTP SSH RCE exploits (CVE-2025-32433) targeting OT firewalls. Learn how attackers are achieving RCE without authentication.

Erlang/OTP SSH Exploit

Malicious actors have been observed exploiting a now-patched critical security flaw impacting Erlang/Open Telecom Platform (OTP) SSH as early as the beginning of May 2025, with about 70% of detections originating from firewalls protecting operational technology (OT) networks.

The Vulnerability: CVE-2025-32433

The vulnerability in question is CVE-2025-32433, a critical missing authentication issue with a CVSS score of 10.0. This flaw can be abused by an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code.

It was patched in April 2025 with versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Subsequently, in June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

According to researchers at Palo Alto Networks Unit 42:

“At the heart of Erlang/OTP’s secure communication capabilities lies its native SSH implementation—responsible for encrypted connections, file transfers and most importantly, command execution. A flaw in this implementation would allow an attacker with network access to execute arbitrary code on vulnerable systems without requiring credentials, presenting a direct and severe risk to exposed assets.”

Widespread Exploitation Targeting OT

The cybersecurity company’s analysis of telemetry data has revealed that over 85% of exploit attempts have primarily singled out healthcare, agriculture, media and entertainment, and high technology sectors in the U.S., Canada, Brazil, India, and Australia, among others.

Vulnerability exploitation chart

In the attacks observed, the successful exploitation of CVE-2025-32433 is followed by the threat actors using reverse shells to gain unauthorized remote access to target networks. It’s currently not known who is behind the efforts.

Unit 42 researchers added:

“This widespread exposure on industrial-specific ports indicates a significant global attack surface across OT networks. Attackers are attempting to exploit the vulnerability in short, high-intensity bursts. These are disproportionately targeting OT networks and attempting to access exposed services over both IT and industrial ports.”

Share this post

Share Tweet Send Share Email
Newsletter Signup

News Feed

Get the Hottest Cybersecurity News Delivered to You!

Related News

Discover more news articles that might interest you

View All →
Trend Micro Apex One Flaws Actively Exploited

Trend Micro Apex One Flaws Actively Exploited

Google Patches Two Actively Exploited Qualcomm Zero-Days

Google Patches Two Actively Exploited Qualcomm Zero-Days

Win-DDoS Flaws Turn Domain Controllers into Botnets

Win-DDoS Flaws Turn Domain Controllers into Botnets

ECScape Flaw in Amazon ECS Allows Credential Theft

ECScape Flaw in Amazon ECS Allows Credential Theft

Critical NVIDIA Flaw Exposes AI Cloud Services

Critical NVIDIA Flaw Exposes AI Cloud Services

CISA Urges Immediate Patch for PHPMailer Vulnerability

CISA Urges Immediate Patch for PHPMailer Vulnerability