A critical vulnerability (CVE-2025-32433) exists in Erlang/OTP's SSH implementation, affecting versions prior to 26.2.1 and 25.3.2.6. This flaw allows unauthenticated remote attackers to execute arbitrary code on the server. Specifically, a specially crafted SSH message can trigger the vulnerability during the initial handshake, before authentication occurs, enabling complete system compromise. Users are urged to update their Erlang/OTP installations to the latest patched versions as soon as possible.
The National Vulnerability Database entry, CVE-2025-32433, details a critical vulnerability affecting Erlang/OTP (Open Telecom Platform) versions prior to 26.1, and versions prior to 25.3.2.3 in the 25 series. This vulnerability allows for unauthenticated remote code execution, meaning an attacker can execute arbitrary code on a vulnerable system without needing any valid credentials. This is achieved by exploiting a flaw in the implementation of the SSH (Secure Shell) protocol within Erlang/OTP.
Specifically, the vulnerability stems from improper input validation during the SSH handshake process. When an SSH client connects to an Erlang/OTP SSH server, a series of messages are exchanged to establish the connection and negotiate cryptographic parameters. The vulnerability lies in how the server handles certain messages related to key exchange algorithms. A maliciously crafted client can send a specially constructed message during this key exchange phase that bypasses the authentication checks. This allows the attacker to proceed with the connection as if they were a legitimate, authenticated user.
Once the attacker bypasses authentication, they effectively gain control of the SSH connection. This allows them to execute commands on the server with the same privileges as the SSH service itself. The impact of successful exploitation can be severe, potentially leading to complete compromise of the affected system. An attacker could install malware, exfiltrate sensitive data, disrupt services, or gain further access to internal network resources.
The vulnerability affects a wide range of Erlang/OTP deployments that utilize the built-in SSH server functionality. This includes various applications built on the Erlang/OTP platform, as well as systems using Erlang/OTP for distributed computing and communication.
The recommended remediation is to upgrade to Erlang/OTP version 26.1 or 25.3.2.3, which addresses the vulnerability through improved input validation during the SSH handshake. By applying these updates, the server will correctly handle the malicious messages and prevent unauthenticated access, thus mitigating the risk of remote code execution.
Summary of Comments ( 11 )
https://news.ycombinator.com/item?id=43716526
Hacker News users discuss the severity and impact of the Erlang/OTP SSH vulnerability. Some highlight the potential for widespread exploitation given Erlang's usage in telecom infrastructure and distributed systems. Several commenters question the assigned CVSS score of 9.8, finding it surprisingly high for a vulnerability that requires non-default configuration (specifically enabling password authentication). The discussion also touches on the practical implications of the vulnerability, acknowledging that while serious, exploitation might be limited by the need for open SSH ports and enabled password logins. Others express concern about the potential for nested exploitation, as vulnerable Erlang systems might host other exploitable services. Finally, some users note the responsible disclosure and patching process.
The Hacker News post titled "Unauthenticated Remote Code Execution in Erlang/OTP SSH" (https://news.ycombinator.com/item?id=43716526) has several comments discussing the vulnerability (CVE-2025-32433).
Several commenters highlight the severity of the vulnerability, being an unauthenticated remote code execution flaw. One user points out the particularly dangerous combination of this being a pre-auth vulnerability and Erlang's frequent use in distributed systems, increasing the potential attack surface. They mention that distributed Erlang systems often run with minimal firewalling, making them easier targets.
Another commenter notes that exploitation is straightforward, quoting the NIST advisory that "Successful exploitation of this vulnerability requires only sending a crafted SSH message." This emphasizes the low barrier to entry for potential attackers.
Discussion also revolves around the practical impact. One user questions how many publicly exposed Erlang SSH servers exist, suggesting that while serious, the impact might be limited depending on the prevalence of such deployments. This prompts another commenter to mention that while direct SSH access to Erlang nodes might be less common, many systems likely use distributed Erlang for backend communication, which could be vulnerable.
A commenter with experience in securing Erlang systems suggests that the vulnerability reinforces the importance of employing robust network security measures, like firewalls and VPNs, even within internal networks. They highlight that assuming internal networks are safe is a dangerous misconception.
There's some discussion of the technical details. One user dives deeper into the mechanism of the vulnerability, explaining that it arises from the way the
ssh_packet_set_size/1function handles size limits before authentication, allowing malicious actors to bypass checks and execute arbitrary code.Finally, several commenters express concern about the vulnerability's potential to affect critical infrastructure and industrial control systems, given Erlang's presence in those sectors. One user speculates about the potential for this vulnerability to be exploited in targeted attacks.