Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now

A critical vulnerability in the Erlang/OTP SSH, tracked as CVE-2025-32433, has been disclosed that allows for unauthenticated remote code execution on vulnerable devices. The flaw was discovered by Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany and given a maximum severity score of 10.0. All devices running the Erlang/OTP SSH daemon are impacted by the vulnerability and are advised to upgrade to versions 25.3.2.10 and 26.2.4 to fix the flaw. Erlang is a programming language known for its fault-tolerance and concurrency, making it commonly used in telecom infrastructure and high -availability systems. Erlang/OTP is a set of libraries, design principles, and tools built on top of Erlang that provides components like the SSH application for remote access. The CVE-2025-32433 vulnerability is caused by the improper handling of certain pre-authentication protocol messages within the SSH daemon provided by Erlang/OTP's SSH applic ... Read full article.