CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability

On April 16, researchers from the University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the OpenWall vulnerability mailing list alongside an official advisory was posted to the GitHub project for Erlang/OTP.

CVE-2025-32433 is a remote code execution (RCE) vulnerability affecting the Erlang/OTP SSH server. The vulnerability exists due to a flaw in the SSH protocol message handling which could allow an unauthenticated attacker to execute arbitrary code. According to the advisory, all users running Erlang/OTP SSH servers are impacted and to assume impact if your application utilizes the Erlang/OTP SSH library. 

As of April 17, several proof-of-concept (PoC) exploits have been publicly released. With information on this exploit now available and with the ease of which this vulnerability can be exploited, we highly recommend patching as soon as possible.

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.