Erlang/OTP SSH server, unauthenticated pre-auth message-handling RCE

Overview

CVE-2025-32433 is a maximum-severity, unauthenticated remote code execution vulnerability in the SSH server shipped with Erlang/OTP. An attacker who can reach a service built on the ssh application can execute arbitrary code with the privileges of that service, without any credentials and without user interaction. The GitHub-assigned CVSS v3.1 base score is 10.0 (Critical) with a Changed scope; the NVD record reflects this CNA score and does not carry a separate NVD-assigned primary value.

The issue was disclosed via an Erlang/OTP GitHub Security Advisory on 16 April 2025. Because Erlang/OTP's SSH library underpins a wide range of products, including network equipment, message brokers, and infrastructure agents that embed an SSH endpoint, the exposure is broad. Working exploits were published within days, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on 9 June 2025, confirming real-world attacks.

Technical Details

The vulnerability is a missing-authentication flaw, classified as CWE-306 (Missing Authentication for Critical Function), in how the Erlang/OTP SSH daemon sequences the SSH transport and connection protocols. In a correct implementation the server must complete the SSH authentication phase before it will accept and act on connection-protocol messages such as channel opens and requests. The affected Erlang/OTP SSH server fails to enforce this state machine: it accepts and processes certain SSH connection-protocol messages that are sent before authentication has succeeded.

By delivering these pre-authentication messages, an attacker can drive the server into performing privileged operations, including opening a channel and issuing a request that the SSH daemon executes. When the embedding application wires the SSH server to a shell, an exec handler, or a subsystem, this becomes direct command or code execution in the context of the Erlang node. The Changed scope in the CVSS vector reflects that code runs in the security context of the SSH service rather than the unauthenticated attacker, which on many embedded deployments means high or root-equivalent privilege.

Affected versions are all Erlang/OTP releases prior to OTP-27.3.3 on the 27.x branch, prior to OTP-26.2.5.11 on the 26.x branch, and prior to OTP-25.3.2.20 on the 25.x branch. Any product that exposes an SSH endpoint implemented with the OTP ssh library in those ranges is exposed.

Impact

• Unauthenticated remote code execution on any reachable SSH endpoint built on the affected Erlang/OTP ssh library.
• Full compromise of the Erlang node and, frequently, of the underlying host, since many embedded SSH services run with elevated privileges.
• Changed CVSS scope: impact extends beyond the vulnerable component into the broader system.
• Complete loss of confidentiality, integrity, and availability (CIA all High) with attack complexity Low.
• Wide downstream blast radius across networking gear, brokers, and management agents that embed the OTP SSH server.

Mitigation

1. Upgrade Erlang/OTP to a fixed release for your branch: OTP-27.3.3 or later, OTP-26.2.5.11 or later, or OTP-25.3.2.20 or later.
2. Rebuild and redeploy any application or appliance that statically bundles the OTP ssh library so it links the patched version; patching the OS Erlang package is not enough if the product ships its own runtime.
3. As a temporary workaround until patched, disable the Erlang/OTP SSH server in affected products if it is not required.
4. Where the SSH server must stay enabled, restrict reachability with firewall rules and network ACLs so only trusted management hosts can connect.
5. After patching, review logs for prior exploitation and rotate any keys or credentials reachable from the affected node.
6. Inventory your environment for embedded uses of the OTP SSH library, since the vulnerable code is often hidden inside third-party appliances rather than an obvious sshd.

Detection

The defining behavioural signature is SSH connection-protocol activity that occurs before authentication completes. If you have packet capture or a protocol-aware sensor in front of the affected service, alert on SSH sessions where channel-open or channel-request messages (message numbers in the SSH connection protocol, such as SSH_MSG_CHANNEL_OPEN and SSH_MSG_CHANNEL_REQUEST) appear before a successful SSH_MSG_USERAUTH_SUCCESS. Legitimate clients never do this, so a single such session is a strong indicator of an exploitation attempt against CVE-2025-32433. Community Suricata and Snort rules keyed to this pre-auth message ordering are available and should be deployed where SSH is not end-to-end opaque.

Because the OTP SSH server is usually embedded, host-side telemetry matters. Monitor the Erlang node and its host for unexpected child processes and outbound connections originating from the SSH service immediately after an inbound SSH connection from an untrusted source; a successful exploit typically results in process execution or a reverse connection with no preceding interactive login. EDR rules that flag the embedding daemon spawning a shell or interpreter, or initiating egress to an unfamiliar host, will catch post-exploitation even when the protocol anomaly was not captured.

Review SSH and application logs for connections that terminate without a recorded successful authentication yet correlate with side effects such as new files, configuration changes, or spawned tasks. Many embedded SSH stacks log scant detail, so also lean on network metadata: short-lived SSH connections from unexpected source addresses, connections from the internet to management SSH ports that should be internal-only, and bursts of SSH connections probing many hosts. Cross-reference source addresses against threat intelligence for CVE-2025-32433 scanning, which was widespread after public PoC release. Finally, build an asset inventory of every service that embeds the OTP ssh library and confirm each one's version against the fixed releases; anything still in an affected range that is network-reachable should be treated as potentially compromised and inspected, with key rotation, back to mid-April 2025.