Erlang/OTP Remote Code Execution Vulnerability

A vulnerability has been identified in Erlang/OTP.  A remote attacker could exploit some of this vulnerability to trigger remote code execution on the targeted system.

Note:

Proof Of Concept exploit code is publicly available for CVE-2025-32433. The vulnerability allows for unauthenticated remote code execution by malicious actors with network access to hosts running an Erlang/OTP SSH server leading to possible full system compromise. Hence, the risk level is rated as High Risk.

All users running the Erlang/OTP SSH server prior to the fixed releases are impacted by this vulnerability. By default RabbitMQ doesn’t require an SSH server for operation, but any RabbitMQ instance (or similar Erlang-based service) that has its OTP SSH interface enabled on a network-accessible port is vulnerable due to this CVE. In addition, Apache CouchDB and the former Riak KV database are implemented in Erlang/OTP. if the CouchDB is configured to allow an Erlang remote shell, the interface would be at risk. Even if the OTP SSH isn’t exposed externally, the presence of the vulnerability means an insider or lateral mover in the network could use it to escalate privileges on the Database server.

Impact

• Remote Code Execution

System / Technologies affected

• Versions equal or prior to OTP-27.3.2
• Versions equal or prior to OTP-26.2.5.10
• Versions equal or prior to OTP-25.3.2.19

Solutions

Before installation of the software, please visit the vendor web-site for more details.

Apply fixes issued by the vendor:

• OTP-27.3.3
• OTP-26.2.5.11
• OTP-25.3.2.20

Vulnerability Identifier

• CVE-2025-32433

Source

• Erlang
• Cybereason

Related Link

• https://www.erlang.org/
• https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
• https://www.cybereason.com/blog/rce-vulnerability-erlang-otp