.svg){kind=spacer}
April 26, 2025
April 26, 2025
Frenos, a company specializing in autonomous OT security assessment platforms, has alerted OT (operational technology) security professionals to a major new vulnerability discovered in 2025. Designated CVE-2025-32433, the flaw affects the SSH implementation in Erlang/OTP and has been assigned a maximum severity rating of 10.0 on the CVSS scale. The severity of this vulnerability stems from its ability to allow unauthorized code execution without requiring authentication, representing a fundamental security breach, as no credentials are needed, and no complex exploitation techniques are required for an attacker to execute arbitrary code on affected systems.
According to Cisco data, approximately two million devices with Erlang are shipped annually. Erlang is a foundational component of modern digital infrastructure, with reports suggesting that nearly 90 percent of global internet traffic traverses nodes controlled by Erlang-based systems. The world’s eight largest service providers rely on Erlang-based systems for network control, and the top eight network equipment vendors integrate Erlang components into their products. As such, this is not a vulnerability confined to a niche technology, it poses a serious risk to core elements of national and global digital infrastructure.
Frenos disclosed in a post that the vulnerability exists because Erlang’s SSH implementation doesn’t properly enforce the SSH protocol sequence. Normally, SSH requires strict authentication before allowing any channel operations. This vulnerability allows attackers to bypass this by sending channel operation messages before authentication completes.
“The attack starts with a simple TCP connection to the target’s SSH port. After exchanging SSH banners, the attacker sends a seemingly legitimate SSH_MSG_KEXINIT packet to begin key exchange. This keeps the server happy and engaged,” the post added. “The critical weakness emerges in the next step – instead of completing authentication, the attacker jumps straight to sending SSH_MSG_CHANNEL_OPEN followed by SSH_MSG_CHANNEL_REQUEST with an arbitrary command. The Erlang SSH server, not properly checking the protocol state, executes this command without requiring authentication!”
It added that existing proof-of-concept code attempts to write a file called ‘lab[dot]txt’ with the content ‘pwned’ – a relatively benign payload. However, attackers could easily replace this with commands to establish persistence, exfiltrate data, or disrupt operations.
The Erlang SSH vulnerability raises specific concerns for OT environments for several reasons, as Erlang is commonly found in networking equipment that supports many OT environments. Cisco data indicates that approximately two million devices incorporating Erlang are shipped each year. Since 2020, many organizations have expanded remote access to OT networks, often relying on SSH for secure connectivity, as the vulnerability could allow that security feature to be exploited as an entry point.
In many deployments, the SSH daemon runs with root privileges. If exploited, this could allow an attacker to take full control of the affected device. Erlang is integrated into a wide range of embedded systems and network devices, including those from major vendors such as Cisco and Ericsson. As a result, the vulnerability may impact products throughout the technology supply chain.
Frenos noted that the consequences could be severe, from unauthorized access to sensitive industrial systems to complete disruption of critical infrastructure operations, as an attacker gaining control of telecommunications equipment during an emergency or manipulating industrial processes in manufacturing facilities.
“While it’s tempting to downplay the seriousness of yet another vulnerability (we’ve all got alert fatigue, right?), this one deserves your attention. With its perfect CVSS score and widespread impact potential, CVE-2025-32433 ranks among the most significant vulnerabilities of 2025 so far,” the post added.
Frenos mentioned that patches are available. However, the bad news is that many affected systems are in environments where patching is challenging, time-consuming, or disruptive to critical operations. “So patch if you can, mitigate if you must, and remember – in the world of OT security, being paranoid isn’t a disorder, it’s a job requirement.”
Last week, Frenos appointed Colin Murphy as chief hacking officer to lead offensive security innovation. The strategic hire follows Frenos’ recent $3.88 million seed funding round led by DataTribe and complements the company’s growing advisory board, which includes industrial cybersecurity expert Robert M. Lee, co-founder and CEO of Dragos.
©2025 NIS2U GmbH All Rights Reserved.
