CVE-2025-32433 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability

Exploit added

June 9, 2025

Action due

June 30, 2025

Action required

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-306	Missing Authentication for Critical Function

Known Affected Software Configurations

cpe:2.3:a:cisco:confd_basic:8.4:::::::*
cpe:2.3:a:cisco:confd_basic:8.0.18:::::::*
cpe:2.3:a:cisco:confd_basic:8.2:::::::*
cpe:2.3:a:cisco:confd_basic:8.3:::::::*
cpe:2.3:a:cisco:confd_basic:-:::::::*
cpe:2.3:a:erlang:erlang/otp:28.0:rc3::::::
cpe:2.3:a:erlang:erlang/otp:26.2.5.3:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.4:::::::*
cpe:2.3:a:erlang:erlang/otp:27.2.4:::::::*
cpe:2.3:a:erlang:erlang/otp:27.0:rc3::::::
cpe:2.3:a:erlang:erlang/otp:27.0.1:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.9:::::::*
cpe:2.3:a:erlang:erlang/otp:27.3.4:::::::*
cpe:2.3:a:erlang:erlang/otp:27.0:rc2::::::
cpe:2.3:a:erlang:erlang/otp:27.2.2:::::::*
cpe:2.3:a:erlang:erlang/otp:27.0:rc1::::::
cpe:2.3:a:erlang:erlang/otp:28.0:-::::::
cpe:2.3:a:erlang:erlang/otp:27.3.1:::::::*
cpe:2.3:a:erlang:erlang/otp:27.1.1:::::::*
cpe:2.3:a:erlang:erlang/otp:27.2.3:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.12:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.11:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.4:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.9:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.3:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.8:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.21:::::::*
cpe:2.3:a:erlang:erlang/otp:27.2:::::::*
cpe:2.3:a:erlang:erlang/otp:28.0:rc2::::::
cpe:2.3:a:erlang:erlang/otp:27.3.3:::::::*
cpe:2.3:a:erlang:erlang/otp:27.1:::::::*
cpe:2.3:a:erlang:erlang/otp:27.2.1:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.16:::::::*
cpe:2.3:a:erlang:erlang/otp:28.0:rc1::::::
cpe:2.3:a:erlang:erlang/otp:28.0:rc4::::::
cpe:2.3:a:erlang:erlang/otp:27.3.2:::::::*
cpe:2.3:a:erlang:erlang/otp:27.3:::::::*
cpe:2.3:a:erlang:erlang/otp:27.1.3:::::::*
cpe:2.3:a:erlang:erlang/otp:27.1.2:::::::*
cpe:2.3:a:erlang:erlang/otp:27.0:-::::::
cpe:2.3:a:erlang:erlang/otp:25.3.2.15:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.13:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.2:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.1:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.10:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.6:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.1:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.2:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.7:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.7:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.17:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.18:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.14:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.19:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.10:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.11:::::::*
cpe:2.3:a:erlang:erlang/otp:24.3.4.15:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.5:::::::*
cpe:2.3:a:erlang:erlang/otp:23.0:::::::*
cpe:2.3:a:erlang:erlang/otp:26.2.5.8:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.20:::::::*
cpe:2.3:a:erlang:erlang/otp:25.3.2.12:::::::*
cpe:2.3:a:erlang:erlang/otp:23.3.4.20:::::::*
cpe:2.3:a:erlang:erlang/otp:22.3.4.27:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.6.1:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3.6:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.9:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.7.6:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3.7:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.6.15:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.3.1:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.2.1:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3.4:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.0:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3.3:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3.8:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3.5:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3.4.1:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.1.1.2:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.3.4:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.5.10.1:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.2:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.3.3:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3.1:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.2.9:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.4.8:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.1.2.4:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.1.2.3:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.3.2:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.3.2:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.2.8:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.2.7:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.3.8:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.2.9:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.2.4:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:4.7.4.4:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:6.2.5:::::::*
cpe:2.3:a:cisco:network_services_orchestrator:5.1.7:::::::*

Details

Source:
NVD

Published:
April 16, 2025

Updated:
June 12, 2025

Risk information

CVSS v3

Base score:
10

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v2

Not defined