CVE-2025-32433: Remote Code Execution in Erlang/OTP

Overview

On April 16, 2025, a critical vulnerability—CVE-2025-32433—was disclosed in the SSH server implementation of Erlang/OTP, the foundational platform behind many distributed systems and messaging frameworks. This flaw enables unauthenticated remote code execution (RCE) and has been assigned the maximum CVSS score of 10.0, underscoring its severity.
Because Erlang/OTP powers platforms like RabbitMQ, Ejabberd, and MongooseIM, this vulnerability poses an outsized threat to the infrastructure that underpins modern messaging, telecommunications, and IoT systems.

How It Works

At the heart of this vulnerability is a failure in how Erlang/OTP handles SSH protocol messages during connection establishment. Under normal circumstances, an SSH server will only process a narrow subset of protocol messages before authentication. But in affected versions of Erlang/OTP, the server fails to enforce this boundary.
As a result, a remote attacker can send a specially crafted message that bypasses authentication checks. The SSH server mistakenly processes it as though the user has already been authenticated. This logic flaw allows for the execution of arbitrary commands, potentially granting full control over the system.
To make matters worse, this attack does not require valid SSH credentials or prior access. Merely exposing a vulnerable SSH server is enough to be at risk.

Real-World Parallels

Although CVE-2025-32433 is newly disclosed, similar security breakdowns have led to serious incidents in the past:
◾ In RabbitMQ, attackers have exploited default configurations to gain access to Erlang messaging backends, sometimes executing commands via exposed plugins.
◾ Ejabberd deployments have been breached by abusing SSH access to reach exposed Erlang shells, offering full control over chat infrastructure.
◾ Malware operators like REvil have embedded Erlang-style distributed execution models, sometimes exploiting Erlang RPC interfaces after gaining access through SSH.
◾ Internet-wide Erlang BEAM scans (e.g., TCP port 4369) have uncovered misconfigured systems vulnerable to unauthorized code execution using native Erlang functions.
These cases show how trust boundary flaws in Erlang systems—whether in SSH, RPC, or node distribution—can be leveraged for high-impact attacks, especially when overlooked or assumed to be internal-only.

Risks

CVE-2025-32433 presents a number of high-stakes risks for any environment running or embedding Erlang/OTP:
◾ Unauthenticated Full System Compromise: An attacker can execute arbitrary commands as the user running the SSH daemon—often root.
◾ Wormable Potential: The vulnerability could be weaponized into automated scanning and exploitation tooling, rapidly spreading through exposed infrastructure.
◾ High-Value Targets: Erlang is a core runtime for message brokers (RabbitMQ), XMPP servers (Ejabberd), and real-time platforms—systems that often hold sensitive or mission-critical data.
This vulnerability also exposes a broader category of risk: trust assumptions in distributed systems. Because Erlang is often used in microservices and containers, its embedded components may be exposed in ways that security teams are unaware of.

Real-World Case Studies

◾ In Ejabberd, attackers leveraged SSH + Erlang’s -remsh feature to silently control chat systems.
◾ Erlang BEAM port scans have led to incidents where attackers invoked code:load_file() remotely to deploy malware.
◾ REvil ransomware campaigns used Erlang-style messaging layers for stealth and internal tooling once SSH footholds were established.
These cases weren’t always due to SSH bugs—but they highlight the consequences of untrusted code reaching trusted Erlang internals, a risk now made much more direct with CVE-2025-32433.

Recommendations

The top priority is to patch immediately. The following Erlang/OTP versions include the fix:
◾ OTP 27.3.3
◾ OTP 26.2.5.11
◾ OTP 25.3.2.20

Major Linux distributions like Ubuntu have also issued patches in supported releases (24.10, 24.04 LTS, 22.04 LTS, 20.04 LTS). If you are building from source or using containers, verify the base image and dependencies carefully.

Additional best practices include:
◾ Restrict SSH exposureusing firewalls and allowlists.
◾ Scan for unknown Erlang-based components—especially if your environment uses messaging or IoT systems.
◾ Audit SSH logs and process activity to check for signs of past exploitation.

Final Thoughts

CVE-2025-32433 is a stark reminder that even mature, production-grade runtimes like Erlang/OTP can contain fundamental vulnerabilities in how they handle connections and trust states. While Erlang’s resilience and fault-tolerance are well known, those benefits don’t protect against incorrect assumptions about authentication and message validity.

Security teams should treat this bug not just as a one-off patching task, but as a cue to revisit visibility into their distributed architecture—especially in systems that implicitly rely on Erlang.

Stay safe, stay ahead!