- Posted June 11, 2025
- Cyber Security Alerts
Originally posted April 24, 2025, updated on June 11, 2025
The NCSC would like to redraw your attention to CVE-2025-32433, a critical vulnerability affecting Erlang/OTP SSH. The NCSC is now aware of reports of active exploitation of this vulnerability. Erlang is widely used in networking equipment, which introduces supply chain risk, particularly to industrial control systems (ICS) and operational technology (OT) devices.
CVE-2025-32433(external link) is a remote code execution (RCE) vulnerability affecting the Erlang/Open Telecom Platform (OTP) SSH library. This could allow a remote attacker to send connection protocol messages prior to authentication, resulting in arbitrary code execution in the SSH daemon.
The vulnerability affects devices running the following versions of Erlang/OTP SSH daemon:
• OTP-27.3.2 and prior
• OTP-26.2.5.10 and prior
• OTP-25.3.2.19 and prior
The NCSC encourages organisations in New Zealand that use the affected product to review the vendor advisory(external link) and apply the remediation as soon as possible. The NCSC also recommends organisations to monitor for security updates from third-party vendors that use Erlang/OTP SSH.
For more NCSC NZ updates, follow us on LinkedIn(external link).