Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Erlang/OTP SSH daemon RCE (CVE-2025-32433, actively exploited)

Vulnerability
First reported
Last updated
Happening score
H score 60
1 unique sources, 1 articles

Summary

Hide ▲

Active exploitation of CVE-2025-32433 is exposing Erlang/OTP deployments in OT and critical infrastructure networks to unauthenticated remote code execution. The flaw sits in the Erlang/OTP SSH daemon and lets attackers send SSH protocol messages before authentication, enabling command execution on vulnerable systems. Patches are available in OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20, and later releases, and exploitation was first observed May 1, 2025.

Related Happenings

IBM API Connect CVE-2025-13915 mitigation guidance

Advisory/Mitigation
First: 31.12.2025 12:34 Last: 31.12.2025 12:34 Sources 1

About this happening: **IBM** told customers to upgrade **IBM API Connect** to address **CVE-2025-13915**, a **critical authentication bypass** that can let **unauthenticated attackers** reach exposed...

Open Happening

UNC6485 Triofox CVE-2025-12480 exploitation campaign

Campaign
First: 10.11.2025 22:49 Last: 10.11.2025 22:49 Sources 1

About this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...

Open Happening

SonicWall SSL VPN CVE-2024-40766 active exploitation wave

Exploitation Wave
First: 11.09.2025 19:32 Last: 11.09.2025 19:32 Sources 1

About this happening: **Akira** is driving a renewed wave of **active exploitation** of **CVE-2024-40766** against **SonicWall SSL VPNs**, creating immediate unauthorized-access risk for exposed device...

Open Happening

SonicWall SSL VPN exploitation wave (Akira-linked)

Exploitation Wave
First: 11.09.2025 13:33 Last: 11.09.2025 13:33 Sources 1

About this happening: An **Akira ransomware**-linked **exploitation wave** is driving a **widespread compromise** of **SonicWall SSL VPN devices** for initial access, with attacks using **CVE-2024-4076...

Latest development: 11.10.2025 16:30

Starting October 4, 2025, Huntress observed widespread compromise of SonicWall SSL VPN devices across multiple customer environments, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts impacted; in the cases investigated, authentications originated from 202.155.8[.]73, and some compromised devices showed network scanning and attempts to access local Windows accounts.

Open Happening

Timeline

  1. 13.08.2025 19:36 1 articles · 9mo ago

    CVE-2025-32433 exploitation begins in Erlang/OTP SSH deployments

    Exploitation Observed

    Security researchers observed exploitation of CVE-2025-32433 beginning on May 1, with unauthenticated attackers sending SSH connection protocol messages to open SSH ports on vulnerable Erlang/OTP systems to gain unauthorized remote access to OT networks.

    Show sources
    Open in new tab
  2. 13.08.2025 19:36 1 articles · 9mo ago

    Unit 42 details Erlang/OTP SSH daemon RCE exploitation and mitigation

    Technical Analysis Update

    Unit 42 disclosed active exploitation of CVE-2025-32433 against Erlang/OTP SSH daemon deployments used in OT and critical infrastructure networks, explaining that improper state enforcement lets unauthenticated clients execute commands before authentication completes. The advisory identified vulnerable versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, noted global exploitation attempts across multiple industries, and recommended patching, updating intrusion prevention systems, monitoring for compromise, or temporarily disabling the SSH server and restricting access with firewall rules.

    Show sources
    Open in new tab