Increased Attempts of SSH Exploitation Found in Erlang/OTP Vulnerability

In a significant cybersecurity development, a severe Remote Code Execution (RCE) vulnerability in Erlang's Open Telecom Platform (OTP) Secure Shell daemon (sshd) is currently being actively exploited. This vulnerability, identified as CVE-2025-32433, has a CVSS score of 10.0, indicating its high severity.

Researchers are urging immediate action, recommending that security teams responsible for OT networks upgrade to OTP 27.3.3, OTP 26.2.5.11, or OTP 25.3.2.20 to address this issue. Vulnerable versions of Erlang/OTP include releases before these versions.

April Lenhard, principal product manager at Qualys, has stated that this vulnerability poses a significant threat to operational technology (OT) networks. Exploitation of this vulnerability could alter sensor readings, trigger outages, introduce safety risks, and cause physical damage. Attackers could also compromise sensitive information and additional hosts within the network.

Attackers are deploying payloads that establish reverse shells for unauthorized access. One method binds a shell to a TCP connection, while another redirects Bash input and output to a remote host linked to botnet command servers. Some payloads utilize DNS callbacks to track execution without returning results.

Between May 1 and May 9, there was a surge in exploitation attempts of this vulnerability. Temporary measures include disabling the SSH server or restricting access via firewall rules.

Many sectors, including healthcare, agriculture, media and entertainment, and high technology, rely on Erlang/OTP's native SSH for remote administration. Erlang/OTP services are often found exposed on the internet, sometimes over industrial ports like TCP 2222, creating a crossover risk between IT and industrial control systems.

70% of these detection attempts originated from firewalls protecting operational technology (OT) networks. The US, Brazil, and France host the highest number of exposed Erlang/OTP services.

Organizations currently using the affected Erlang/OTP versions and likely needing special protection due to the SSH incident include major manufacturers such as Cisco and Ericsson, as these vendors ship products with Erlang/OTP SSH implementations vulnerable to the critical security flaw.

However, some OT-heavy sectors like utilities, mining, and aerospace saw no recorded OT triggers, possibly due to segmentation, delayed targeting, or gaps in detection.

If exploited, this vulnerability could have severe consequences on an organization's network and operations, allowing the attacker full control over the system. Addressing this vulnerability should be a top priority for any security team responsible for an OT network.