CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2025-32433

CVSS 10.0v3.1pub. 2025-04-16upd. 2025-11-04

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

🤖 AI Analysis
How it works

The error results from improper handling of SSH protocol messages (CWE-306 — missing required authentication for critical functions). An attacker can send crafted SSH protocol messages to the vulnerable server, thereby bypassing authentication mechanisms. This allows execution of arbitrary system commands in the context of the SSH server process without valid login credentials.

Impact

An attacker gains full, unauthenticated control over the vulnerable system, enabling execution of arbitrary commands, reading and modifying data, and potentially compromising the entire Erlang/OTP-based infrastructure. The vulnerability has scope beyond the directly attacked environment (CVSS Scope: Changed).

Mitigation & patch

Immediately update Erlang/OTP to version OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. As a temporary workaround until patches are deployed, disable the Erlang/OTP-based SSH server or restrict access using firewall rules. Cisco product users should follow the vendor's recommendations regarding patch availability for their specific platforms.

Who is affected

Erlang/OTP in all versions before OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20 when running an SSH server from the OTP library. The vulnerability affects, among others, Cisco devices: Inode Manager, NCS 1001, NCS 1004, RV340W Firmware, Ultra Packet Core.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Cisco Cloud Native Broadband Network Gateway

    APP
    Cisco
    < 2025.03.1
  • Cisco Confd Basic

    APP
    Cisco
    8.2 – 8.2.11.1 (bez)< 7.7.19.18.0.18 – 8.1.16.2 (bez)8.3 – 8.3.8.1 (bez)8.4 – 8.4.4.1 (bez)
  • Cisco Enterprise Nfv Infrastructure Software

    APP
    Cisco
    < 4.18
  • Cisco Inode Manager

    APP
    Cisco
    wszystkie wersje
  • Cisco Ncs 1001

    HW
    Cisco
    wszystkie wersje
  • Cisco Ncs 1002

    HW
    Cisco
    wszystkie wersje
  • Cisco Ncs 1004

    HW
    Cisco
    wszystkie wersje
  • Cisco Ncs 2000 Shelf Virtualization Orchestrator Firmware

    OS
    Cisco
    < 25.1.1
  • Cisco Ncs 2000 Shelf Virtualization Orchestrator Module

    HW
    Cisco
    wszystkie wersje
  • Cisco Network Services Orchestrator

    APP
    Cisco
    6.4.2 – 6.4.4.1 (bez)6.2 – 6.2.11.1 (bez)5.8 – 6.1.16.2 (bez)< 5.7.19.16.3 – 6.3.8.1 (bez)6.4 – 6.4.1.1 (bez)
  • Cisco Optical Site Manager

    APP
    Cisco
    < 25.2.1
  • Cisco Rv160

    HW
    Cisco
    wszystkie wersje
  • Cisco Rv160 Firmware

    OS
    Cisco
    wszystkie wersje
  • Cisco Rv160w

    HW
    Cisco
    wszystkie wersje
  • Cisco Rv160w Firmware

    OS
    Cisco
    wszystkie wersje
  • Cisco Rv260

    HW
    Cisco
    wszystkie wersje
  • Cisco Rv260 Firmware

    OS
    Cisco
    wszystkie wersje
  • Cisco Rv260p

    HW
    Cisco
    wszystkie wersje
  • Cisco Rv260p Firmware

    OS
    Cisco
    wszystkie wersje
  • Cisco Rv260w

    HW
    Cisco
    wszystkie wersje
  • Cisco Rv260w Firmware

    OS
    Cisco
    wszystkie wersje
  • Cisco Rv340

    HW
    Cisco
    wszystkie wersje
  • Cisco Rv340 Firmware

    OS
    Cisco
    wszystkie wersje
  • Cisco Rv340w

    HW
    Cisco
    wszystkie wersje
  • Cisco Rv340w Firmware

    OS
    Cisco
    wszystkie wersje
  • Cisco Rv345

    HW
    Cisco
    wszystkie wersje
  • Cisco Rv345 Firmware

    OS
    Cisco
    wszystkie wersje
  • Cisco Rv345p

    HW
    Cisco
    wszystkie wersje
  • Cisco Rv345p Firmware

    OS
    Cisco
    wszystkie wersje
  • Cisco Smart Phy

    APP
    Cisco
    < 25.2

CISA KEV — detailsi

Vendori
Erlang
Producti
Erlang/OTP
Added to KEVi
June 9, 2025
Remediation deadline (US Federal)i
June 30, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 30 czerwca 2025
Tags
RCEFirewall
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki

CVE-2025-24813CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych