- Posted April 24, 2025
The NCSC would like to draw your attention to a critical vulnerability affecting Erlang/OTP SSH. This vulnerability has been given a CVSS score of 10. Erlang is widely used in networking equipment, which introduces supply chain risk, particularly to industrial control systems (ICS) and operational technology (OT) devices.
CVE-2025-32433(external link) is a remote code execution (RCE) vulnerability affecting the Erlang/Open Telecom Platform (OTP) SSH library. This could allow a remote attacker to send connection protocol messages prior to authentication, resulting in arbitrary code execution in the SSH daemon. The NCSC is aware of published Proof of Concept (PoC) exploits.
The vulnerability affects devices running the following versions of Erlang/OTP SSH daemon:
· OTP-27.3.2 and prior
· OTP-26.2.5.10 and prior
· OTP-25.3.2.19 and prior
The NCSC encourages organisations in New Zealand that use the affected product to review the advisory(external link) and apply the remediation as soon as possible. The NCSC also recommends organisations to monitor for security updates from third-party vendors that use Erlang/OTP SSH.
For more NCSC NZ updates, follow us on LinkedIn(external link).