Malicious actors have been observed exploiting a now-patched critical security flaw impacting Erlang/Open Telecom Platform (OTP) SSH as early as beginning of May 2025, with about 70% of detections originating from firewalls protecting operational technology (OT) networks.
The vulnerability in question is CVE-2025-32433 (CVSS score: 10.0), a missing authentication issue that could be abused by an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code. It was patched in April 2025 with versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.
Then in June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
“At the heart of Erlang/OTP’s secure communication capabilities lies its native SSH implementation — responsible for encrypted connections, file transfers and most importantly, command execution,” Palo Alto Networks Unit 42 researchers Adam Robbie, Yiheng An, Malav Vyas, Cecilia Hu, Matthew Tennis, and Zhanhao Chen said.
“A flaw in this implementation would allow an attacker with network access to execute arbitrary code on vulnerable systems without requiring credentials, presenting a direct and severe risk to exposed assets.”
The cybersecurity company’s analysis of telemetry data has revealed that over 85% of exploit attempts have primarily singled out healthcare, agriculture, media and entertainment, and high technology sectors in the U.S., Canada, Brazil, India, and Australia, among others.
In the attacks observed, the successful exploitation of CVE-2025-32433 is followed by the threat actors using reverse shells to gain unauthorized remote access to target networks. It’s currently not known who is behind the efforts.
“This widespread exposure on industrial-specific ports indicates a significant global attack surface across OT networks,” Unit 42 said. “Analysis of affected industries demonstrates variance in the attacks.”
“Attackers are attempting to exploit the vulnerability in short, high-intensity bursts. These are disproportionately targeting OT networks and attempting to access exposed services over both IT and industrial ports.”
