News and events Own Your Online External Link Report an incident
News and events Own Your Online External Link
  1. Welcome to CERT NZ
  2. Advisories
  3. CVE-2025-32433 affecting Erlang/Open Telecom Platform (OTP) SSH library

CVE-2025-32433 affecting Erlang/Open Telecom Platform (OTP) SSH library

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

4:44pm, 24 April 2025

TLP Rating: Clear

CVE-2025-32433 affecting Erlang/Open Telecom Platform (OTP) SSH library

The NCSC would like to draw your attention to a critical vulnerability affecting Erlang/OTP SSH. This vulnerability has been given a CVSS score of 10. Erlang is widely used in networking equipment, which introduces supply chain risk, particularly to industrial control systems (ICS) and operational technology (OT) devices. 

CVE-2025-32433 is a remote code execution (RCE) vulnerability affecting the Erlang/Open Telecom Platform (OTP) SSH library. This could allow a remote attacker to send connection protocol messages prior to authentication, resulting in arbitrary code execution in the SSH daemon. The NCSC is aware of published Proof of Concept (PoC) exploits. 

What's happening

Systems affected

The vulnerability affects devices running the following versions of Erlang/OTP SSH daemon: 
•    OTP-27.3.2 and prior.  
•    OTP-26.2.5.10 and prior.  
•    OTP-25.3.2.19 and prior. 

What this means

Organisations are vulnerable to this CVE if they are running the affected versions listed or use third party software that uses Erlang/OTP SSH. 

What to look for

How to tell if you're at risk

Organisations are vulnerable to this CVE if they are running the affected versions listed or use third party software that uses Erlang/OTP SSH.

How to tell if you're affected

All users running the Erlang/OTP SSH server are impacted by this vulnerability, regardless of the underlying Erlang/OTP version. If your application provides SSH access using the Erlang/OTP SSH library, assume you are affected. 

If you’re unsure whether you are affected by this vulnerability, please contact your software provider.

What to do

Prevention

The NCSC encourages organisations in New Zealand that use the affected product to review the advisory External Link and apply the remediation as soon as possible. The NCSC also recommends organisations monitor for security updates from third-party vendors that use Erlang/OTP SSH. 

Mitigation

Update: Users are advised to update to OTP-27.3.3 (for OTP-27), OTP-26.2.5.11 (for OTP-26), or OTP-25.3.2.20 (for OTP-25) to mitigate this issue.

Temporary Workaround: Until upgrading to a fixed version, we recommend disabling the SSH server or to prevent access via firewall rules.

More information

CVE-2025-32433 External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link .

For media enquiries, email our media desk at media@ncsc.govt.nz.