CVE-2025-32433: Technical Deep-Dive (Auto Refreshed)

Generated on 2026-03-24T15:43:57.616Z. This file is automatically regenerated every 30 minutes by the CVE AI enrichment job using web sources (NVD, MITRE, CISA KEV, GitHub).

Executive Technical Summary

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

• Context preserved from previous revision: Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules. Notes: 这是一个每天同步Vulnerability-Wiki中docs-base中内容的项目

Technical Details

• CVE: CVE-2025-32433
• KEV date added: 2025-06-09
• KEV due date: 2025-06-30
• NVD published: 2025-04-17
• NVD modified: 2025-11-04
• MITRE modified: 2026-02-26
• CVSS base score: 10
• CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
• CVSS exploitability score: 3.9
• CVSS impact score: 6
• Attack vector: Network
• Attack complexity: Low
• Privileges required: None
• User interaction: None
• Scope: Changed
• Confidentiality impact: High
• Integrity impact: High
• Availability impact: High

Versions and Products Impacted

• erlang / erlang/otp (versions: < 25.3.2.20)
• erlang / erlang/otp (versions: >= 26.0, < 26.2.5.11)
• erlang / erlang/otp (versions: >= 27.0, < 27.3.3)
• cisco / confd basic (versions: < 7.7.19.1)
• cisco / confd basic (versions: >= 8.0.18, < 8.1.16.2)
• cisco / confd basic (versions: >= 8.2, < 8.2.11.1)
• cisco / confd basic (versions: >= 8.3, < 8.3.8.1)
• cisco / confd basic (versions: >= 8.4, < 8.4.4.1)
• cisco / network services orchestrator (versions: < 5.7.19.1)
• cisco / network services orchestrator (versions: >= 5.8, < 6.1.16.2)
• cisco / network services orchestrator (versions: >= 6.2, < 6.2.11.1)
• cisco / network services orchestrator (versions: >= 6.3, < 6.3.8.1)
• cisco / network services orchestrator (versions: >= 6.4, < 6.4.1.1)
• cisco / network services orchestrator (versions: >= 6.4.2, < 6.4.4.1)
• cisco / cloud native broadband network gateway (versions: < 2025.03.1)
• cisco / inode manager
• cisco / smart phy (versions: < 25.2)
• cisco / ultra packet core (versions: < 2025.03)
• cisco / ultra services platform
• cisco / staros (versions: < 2025.03)

Weakness Classification

• CWE-306

Repositories for Lab Validation (Public Examples)

• J1ezds/Vulnerability-Wiki-page | stars: 8 | updated: 2026-03-24 | https://github.com/J1ezds/Vulnerability-Wiki-page
  Notes: 这是一个每天同步Vulnerability-Wiki中docs-base中内容的项目
• zulloper/cve-poc | stars: 8 | updated: 2026-03-24 | https://github.com/zulloper/cve-poc
  Notes: CVE POC repo 자동 수집기

People and Organizations Mentioned

• GitHub_M
• Erlang
• Erlang/OTP
• J1ezds
• zulloper

Practical Defensive Validation (Authorized Only)

1. Use only isolated environments and systems you own or are explicitly authorized to test.
2. Snapshot infrastructure before validation and preserve baseline logs (EDR, SIEM, OS, app).
3. Use erlang / erlang/otp (versions: < 25.3.2.20) in isolated VM snapshots (vulnerable vs patched) and compare process tree telemetry before/after updates.
4. Validate command-execution prevention policies (AppLocker/WDAC/EDR) with harmless test binaries only.
5. Create SIEM detections for suspicious parent-child chains, encoded command usage, and abnormal service creation.

References

• NVD record: https://nvd.nist.gov/vuln/detail/CVE-2025-32433
• MITRE CVE record: https://www.cve.org/CVERecord?id=CVE-2025-32433
• CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• CISA KEV JSON feed: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
• KEV notes: This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2 ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy ; https://nvd.nist.gov/vuln/detail/CVE-2025-32433
• https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12
• https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f
• https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891
• https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
• http://www.openwall.com/lists/oss-security/2025/04/16/2
• http://www.openwall.com/lists/oss-security/2025/04/18/1
• http://www.openwall.com/lists/oss-security/2025/04/18/2
• http://www.openwall.com/lists/oss-security/2025/04/18/6
• http://www.openwall.com/lists/oss-security/2025/04/19/1
• https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html
• https://security.netapp.com/advisory/ntap-20250425-0001/
• https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.py
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32433
• Repository example: https://github.com/J1ezds/Vulnerability-Wiki-page
• Repository example: https://github.com/zulloper/cve-poc

This content is for defensive security training and authorized validation only.