Published on: 23 April 2025
Erlang has released a security advisory to address a vulnerability in Erlang/OTP. A remote attacker could send a specially crafted request to exploit the vulnerability.
Reports indicate that the vulnerability (CVE- 2025-32433) has a proof-of-concept (PoC) code which is publicly available. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.
A successful attack could lead to remote code execution on an affected system.
Erlang has released new version of the product to address the issue and it can be downloaded at the following URLs:
(for OTP-27)
https://github.com/erlang/otp/releases/tag/OTP-27.3.3
(for OTP-26)
https://github.com/erlang/otp/releases/tag/OTP-26.2.5.11
(for OTP-25)
https://github.com/erlang/otp/releases/tag/OTP-25.3.2.20
In addition to in-house and self-developed systems/applications, commercial products and open-source software/libraries may also be affected by the vulnerability. An inexhaustive list of advisories published by product vendors is provided below. It is strongly recommended to consult product vendors if the used software products are affected and corresponding patches/mitigation measures are available.
Cisco
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy
If the patch cannot be applied immediately, administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risks:
Disabling the SSH server or to prevent access via firewall rules.