Critical Erlang/OTP SSH RCE Exploits Targeting OT Firewalls
Summary
Hide β²
Show βΌ
Since May 2025, attackers have exploited a critical vulnerability (CVE-2025-32433) in Erlang/OTP SSH, with 70% of detected exploits targeting operational technology (OT) firewalls. The flaw allows remote code execution without authentication. The vulnerability was patched in April 2025, but exploitation continues, particularly in healthcare, agriculture, media, and high-tech sectors across multiple countries. The attacks involve using reverse shells to gain unauthorized access to target networks. The global attack surface is significant, with high-intensity bursts targeting both IT and industrial ports. Attackers have delivered several malicious payloads to OT networks, primarily using reverse shells to gain unauthorized remote access. The flaw has been exploited in the wild, with 3,376 signatures triggered globally, 70% originating from OT firewalls.
Timeline
-
11.08.2025 18:08 π° 2 articles Β· β± 1mo ago
Exploitation of Erlang/OTP SSH RCE Vulnerability (CVE-2025-32433) Begins
In May 2025, attackers started exploiting a critical vulnerability in Erlang/OTP SSH, targeting operational technology (OT) firewalls. The flaw, CVE-2025-32433, allows for remote code execution without authentication. Exploitation has been particularly prevalent in healthcare, agriculture, media, and high-tech sectors across the U.S., Canada, Brazil, India, Australia, Japan, the Netherlands, Ireland, and France. Attackers have delivered several malicious payloads to OT networks, primarily using reverse shells to gain unauthorized remote access. The flaw has been exploited in the wild, with 3,376 signatures triggered globally, 70% originating from OT firewalls.
Show sources
- Researchers Spot Surge in Erlang/OTP SSH RCE Exploits, 70% Target OT Firewalls β thehackernews.com β 11.08.2025 18:08
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
Information Snippets
-
The vulnerability CVE-2025-32433 affects Erlang/OTP SSH, enabling remote code execution without authentication.
First reported: 11.08.2025 18:08π° 2 sources, 2 articlesShow sources
- Researchers Spot Surge in Erlang/OTP SSH RCE Exploits, 70% Target OT Firewalls β thehackernews.com β 11.08.2025 18:08
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
The flaw was patched in April 2025 with versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.
First reported: 11.08.2025 18:08π° 2 sources, 2 articlesShow sources
- Researchers Spot Surge in Erlang/OTP SSH RCE Exploits, 70% Target OT Firewalls β thehackernews.com β 11.08.2025 18:08
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
CISA added CVE-2025-32433 to its Known Exploited Vulnerabilities catalog in June 2025.
First reported: 11.08.2025 18:08π° 1 source, 1 articleShow sources
- Researchers Spot Surge in Erlang/OTP SSH RCE Exploits, 70% Target OT Firewalls β thehackernews.com β 11.08.2025 18:08
-
Exploitation began as early as May 2025, with 70% of detections originating from OT firewalls.
First reported: 11.08.2025 18:08π° 2 sources, 2 articlesShow sources
- Researchers Spot Surge in Erlang/OTP SSH RCE Exploits, 70% Target OT Firewalls β thehackernews.com β 11.08.2025 18:08
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
Over 85% of exploit attempts targeted healthcare, agriculture, media, entertainment, and high technology sectors.
First reported: 11.08.2025 18:08π° 2 sources, 2 articlesShow sources
- Researchers Spot Surge in Erlang/OTP SSH RCE Exploits, 70% Target OT Firewalls β thehackernews.com β 11.08.2025 18:08
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
Attackers use reverse shells to gain unauthorized remote access to target networks.
First reported: 11.08.2025 18:08π° 2 sources, 2 articlesShow sources
- Researchers Spot Surge in Erlang/OTP SSH RCE Exploits, 70% Target OT Firewalls β thehackernews.com β 11.08.2025 18:08
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
The flaw in Erlang/OTP SSH allows unauthenticated clients to execute commands by sending SSH connection protocol messages to open SSH ports before authentication.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
The flaw exists due to improper state enforcement in the Erlang/OTP SSH daemon.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
Attackers have delivered several malicious payloads to OT networks, primarily using reverse shells to gain unauthorized remote access.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
The flaw has been exploited in the wild, with 3,376 signatures triggered globally, 70% originating from OT firewalls.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
Attackers have used file descriptors to create TCP connections and bind them to shells, allowing interactive command execution over the network.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
Attackers have initiated reverse shells using Bash's interactive mode, redirecting shell input and output to a remote host.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
The flaw could result in the compromise of sensitive information, additional host compromises, and operational disruptions.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
The financial impact from severe OT events related to this flaw could top $300 billion.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
A rapid surge in attack payloads indicates that threat actors have quickly adopted this exploit in active campaigns.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
Critical infrastructure administrators are particularly concerned as a successful attack could negatively impact large portions of the population.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
The flaw has been observed in the U.S., Japan, the Netherlands, Ireland, Brazil, Ecuador, and France, among other regions.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
-
Recommendations include patching, updating intrusion prevention systems, monitoring for signs of compromise, disabling the SSH server, and restricting access to trusted sources.
First reported: 13.08.2025 19:36π° 1 source, 1 articleShow sources
- Patch Now: Attackers Target OT Networks via Critical RCE Flaw β www.darkreading.com β 13.08.2025 19:36
Similar Happenings
Supply Chain Attack Targeting npm Registry Compromises 40 Packages
A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.
Phoenix Rowhammer attack bypasses DDR5 Rowhammer defenses
A new Rowhammer attack variant, called Phoenix, bypasses the latest protection mechanisms on DDR5 memory chips from SK Hynix. This attack exploits vulnerabilities in the Target Row Refresh (TRR) mechanism to flip bits in memory, enabling privilege escalation and unauthorized access. The attack was developed by researchers at ETH Zurich University and Google, and it affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The Phoenix attack can corrupt data, increase privileges, execute malicious code, or access sensitive data. It works by repeatedly accessing specific rows of memory cells to cause electrical interference, altering nearby bits. The attack is tracked as CVE-2025-6202 and has been assigned a high-severity score. The researchers demonstrated the attack's effectiveness by successfully flipping bits on all 15 DDR5 memory chips in their test pool, achieving root privileges in under two minutes. They also showed that the attack can break SSH authentication and alter system binaries to escalate local privileges. The researchers recommend increasing the refresh rate to 3x to mitigate the Phoenix attack.
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Active exploitation of CVE-2025-5086 in DELMIA Apriso
CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.
Akira Ransomware Group Exploits SonicWall SSL VPN Flaws
The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.