Critical Vulnerability in Erlang/OTP SSH: Public Exploits Now Available for CVE- UNDERCODE NEWS

A newly disclosed security vulnerability is shaking up the cybersecurity world, with public exploits now emerging for a dangerous flaw in Erlang/OTP’s SSH daemon. Tracked as CVE-2025-32433, this vulnerability allows unauthenticated remote attackers to execute arbitrary code on systems running the vulnerable service — potentially compromising hundreds of thousands of devices globally.

Researchers from Ruhr University Bochum in Germany first revealed the issue, highlighting the serious implications for systems utilizing Erlang/OTP — a platform widely adopted in telecommunications, databases, and high-availability infrastructure. As if the flaw wasn’t concerning enough, working proof-of-concept (PoC) exploits have already surfaced, heightening the urgency for users to patch affected systems immediately.

Let’s take a closer look at the full breakdown of the situation and what it could mean for critical infrastructure around the world.

Public Exploits Released for Erlang/OTP SSH Vulnerability (CVE-2025-32433)

A critical vulnerability in the Erlang/OTP SSH daemon has been publicly disclosed, enabling remote code execution (RCE) by unauthenticated attackers.
Tracked under CVE-2025-32433, the flaw lies in the SSH protocol’s message handling process, allowing attackers to send unauthenticated protocol messages.
The bug was officially disclosed by researchers from Ruhr University Bochum, who revealed that any device running the SSH daemon is potentially exploitable.
According to OpenWall’s security mailing list, the issue stems from how Erlang/OTP processes SSH connections before authentication.
The vulnerability has been patched in versions 25.3.2.10 and 26.2.4, but many devices — especially in telecom and distributed systems — have yet to be updated.
Security researchers, including Peter Girnus of the Zero Day Initiative and teams from Horizon3, have independently developed working exploits.
Girnus emphasized that the exploit was surprisingly easy to create, raising alarms over its weaponization potential.
Public PoC exploits have since been released on GitHub and Pastebin, making them easily accessible to malicious actors.
While Girnus verified the GitHub PoC’s functionality, he noted that the Pastebin exploit was not fully operational.
With exploits now public, cybercriminals and APT groups are expected to start scanning for vulnerable targets.
Girnus raised concern over the prevalence of SSH in critical infrastructure, especially within telecommunications providers.
He warned of heightened risks from state-sponsored groups, particularly Volt Typhoon and Salt Typhoon, known for targeting network infrastructure.
A Shodan search reveals that over 600,000 IP addresses are currently running Erlang/OTP, many of which appear to be CouchDB instances.
CouchDB, built on Erlang/OTP, could thus be a significant vector of attack.
The public availability of these exploits means time is of the essence — users must patch immediately to prevent system compromise.
Even though the fix has been released, updating might not be straightforward for some systems deeply integrated into large-scale networks.
The nature of the vulnerability makes early detection and response difficult, especially in environments with poor visibility.
Researchers anticipate that APT groups and botnets may soon incorporate this exploit into automated attack chains.
As threat actors begin leveraging this flaw at scale, enterprise security teams must prioritize mitigation and network segmentation.

What Undercode Say:

The rapid emergence of public exploits for CVE-2025-32433 is a classic example of how quickly vulnerabilities can go from private disclosure to widespread weaponization. What makes this situation even more dangerous is the core nature of Erlang/OTP in back-end systems, particularly those in critical sectors like telecom, finance, and cloud infrastructure.

The SSH daemon vulnerability is not just a standard RCE flaw. It’s a pre-authentication exploit, meaning the attacker doesn’t need credentials or elevated access — a golden ticket for threat actors. This class of bugs is among the most sought after in both cybercrime and espionage circles because of their ability to silently bypass security.

From a systems design perspective, it’s concerning how a core communication protocol like SSH, when misimplemented, can act as a backdoor to an entire application stack. Erlang/OTP’s reliability and resilience are what make it so widely used, but also what make patching such environments logistically difficult.

The presence of CouchDB across hundreds of thousands of IPs introduces another layer of exposure. These database instances often serve as the backbone for microservices and IoT platforms, and may not be actively monitored for vulnerabilities. In environments where high availability is a necessity, downtime to patch systems could translate to massive operational risks — something many organizations are unwilling to accept until it’s too late.

This sets the stage for a potential wave of targeted attacks, especially if cybercriminals incorporate the exploit into automated malware loaders or use it to pivot laterally across networks. The public release of PoCs only accelerates the countdown — giving both white-hat and black-hat actors the same tools.

Mitigation strategies need to go beyond just patching. Network segmentation, traffic monitoring, SSH rate limiting, and access control audits are immediate steps organizations should implement. Given the role of Erlang/OTP in scalable systems, this vulnerability could affect everything from telecom routers to distributed ledgers, making this a high-priority issue across sectors.

The involvement of known nation-state groups like Volt and Salt Typhoon is a grim reminder of the stakes. These actors often focus on long-term infiltration — compromising systems silently and maintaining persistence over time. With the availability of CVE-2025-32433 exploits, their entry point just got a lot easier.

Security vendors, too, need to step up. Endpoint detection systems, firewall vendors, and cloud providers should release signatures and rules to flag traffic or behavior associated with exploitation attempts. A coordinated response across the cybersecurity community is now vital to stop this vulnerability from turning into the next widespread breach scenario.

Fact Checker Results:

The vulnerability CVE-2025-32433 is confirmed to impact Erlang/OTP SSH and allows unauthenticated remote code execution.
Publicly accessible PoC exploits are already circulating, increasing the threat level dramatically.
Over 600,000 exposed devices, many running CouchDB on Erlang/OTP, may be actively at risk if not patched.