Critical Erlang OTP SSH Daemon Zero-Day Exploited in OT Networks (CVE-2025-32433)
A severe remote code execution zero-day—CVE-2025-32433—has been actively exploited in critical infrastructure environments via Erlang’s OTP SSH daemon. Operators must patch immediately and monitor OT environments for signs of post-exploit activity.
What's Going On
A remote code execution (RCE) vulnerability in Erlang's OTP SSH daemon, tracked as CVE-2025-32433, is being actively exploited in operational technology (OT) and critical infrastructure across six countries. Threat actors are leveraging this flaw to target firewalls and other OT network components, granting attackers shell access and persistence.
Affected Systems & Risk Profile
- Component: Erlang OTP SSH Daemon
- Severity: Maximum – allows unauthenticated RCE on exposed OT infrastructure.
- Scope: Widespread across multiple firewall appliances using in industrial and critical network environments.
Mitigation & Immediate Actions
- Patch Immediately: Apply vendor updates or Erlang package updates that address CVE-2025-32433.
- Isolate Impacted Devices: Limit SSH access to OT devices behind segmentation and restrict admin access.
- Monitor for Anomalies: Look for unexpected SSH sessions, process executions, or unknown file drops.
- Engage OT Security Teams: Update risk assessments and IR plans to account for this new attack vector.
ThreatGrid Takeaways
- This is a high-stakes zero-day. It directly affects OT systems essential to critical operations.
- RCE via SSH daemon enables full control of impacted devices—there’s no easy rollback.
- Patch urgency is paramount. Given active exploitation, the vulnerability window must be closed now.
- Strengthen network segmentation and SSH access controls for OT devices to reduce exposure.
