10

CVE-2025-32433

Warning
Media report
Exploit

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Data is provided by the National Vulnerability Database (NVD)
CiscoConfd Basic Version < 7.7.19.1
CiscoConfd Basic Version >= 8.0.18 < 8.1.16.2
CiscoConfd Basic Version >= 8.2 < 8.2.11.1
CiscoConfd Basic Version >= 8.3 < 8.3.8.1
CiscoConfd Basic Version >= 8.4 < 8.4.4.1
CiscoNetwork Services Orchestrator Version < 5.7.19.1
CiscoNetwork Services Orchestrator Version >= 5.8 < 6.1.16.2
CiscoNetwork Services Orchestrator Version >= 6.2 < 6.2.11.1
CiscoNetwork Services Orchestrator Version >= 6.3 < 6.3.8.1
CiscoNetwork Services Orchestrator Version >= 6.4 < 6.4.1.1
CiscoNetwork Services Orchestrator Version >= 6.4.2 < 6.4.4.1
CiscoInode Manager Version-
CiscoSmart Phy Version < 25.2
CiscoUltra Packet Core Version < 2025.03
CiscoStaros Version < 2025.03
CiscoOptical Site Manager Version < 25.2.1
   CiscoNcs 1001 Version-
   CiscoNcs 1002 Version-
   CiscoNcs 1004 Version-
CiscoUltra Cloud Core Version < 2025.03.1
CiscoRv160w Firmware Version-
   CiscoRv160w Version-
CiscoRv260 Firmware Version-
   CiscoRv260 Version-
CiscoRv160 Firmware Version-
   CiscoRv160 Version-
CiscoRv260p Firmware Version-
   CiscoRv260p Version-
CiscoRv260w Firmware Version-
   CiscoRv260w Version-
CiscoRv340 Firmware Version-
   CiscoRv340 Version-
CiscoRv340w Firmware Version-
   CiscoRv340w Version-
CiscoRv345 Firmware Version-
   CiscoRv345 Version-
CiscoRv345p Firmware Version-
   CiscoRv345p Version-

09.06.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability

Vulnerability

Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE.

Description

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 66.37% 0.985
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
security-advisories@github.com 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.