Hi all,

we (Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, Jörg Schwenk (Ruhr University Bochum)) found a critical security vulnerability in the Erlang/OTP SSH implementation. The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication. This vulnerability has been assigned CVE-2025-32433 with an estimated CVSSv3 of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The issue is caused by a flaw in the SSH protocol message handling which allows an attacker to send connection protocol messages prior to authentication.

### Am I affected?

All users running an SSH server based on the Erlang/OTP SSH library are likely to be affected by this vulnerability. If your application uses Erlang/OTP SSH to provide remote access, assume you are affected.

### Impact

The vulnerability allows an attacker to execute arbitrary code in the context of the SSH daemon. If your SSH daemon is running as root, the attacker has full access to your device. Consequently, this vulnerability may lead to full compromise of hosts, allowing for unauthorized access to and manipulation of sensitive data by third parties, or denial-of-service attacks.

### Mitigation

Users are advised to update to the latest available Erlang/OTP release. Fixed versions are OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. As a temporary workaround, access to vulnerable SSH servers can be prevented by suitable firewall rules.

### Advisory

An official advisory is available on GitHub: https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

Best regards,

Fabian Bäumer

--
M. Sc. Fabian Bäumer

Chair for Network and Data Security
Ruhr University Bochum
Universitätsstr. 150, Building MC 4/145
44780 Bochum
Germany

Attachment: smime.p7s
Description: Kryptografische S/MIME-Signatur

Reply via email to