Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server: April 2025

🚨 SEVERITY: CRITICAL — CVSS 10.0 Security Advisory

TL;DR 📌

  • On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device. The vulnerability is due to a flaw in the handling of SSH messages during the authentication phase. For a description of this vulnerability, see the Erlang announcement [“https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2”].
  • No fixed release listed yet; apply mitigations and monitor.
  • Workarounds are documented in the advisory.
  • CVEs: CVE-2025-32433.

What happened 🕵️‍♂️

On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device.

The vulnerability is due to a flaw in the handling of SSH messages during the authentication phase.

For a description of this vulnerability, see the Erlang announcement [“https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2”].

Affected products 🖥️

The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. Customers should refer to the associated Cisco bug(s) for further details. Cisco Product Cisco Bug ID Fixed Release Available Network Application, Service, and Acceleration ConfD, ConfD Basic1 CSCwo83759 [“https://tools.cisco.com/bugsearch/bug/CSCwo83759”] 7.7.19.1 8.0.17.1 8.1.16.2 8.2.11.1 8.3.8.1 8.4.4.1 Network Management and Provisioning Network Services Orchestrator (NSO)1 CSCwo83796 [“https://tools.cisco.com/bugsearch/bug/CSCwo83796”] 5.7.19.1 6.1.16.2 6.2.11.1 6.3.8.1 6.4.1.1 6.4.4.1 Smart PHY1 CSCwo83751 [“https://tools.cisco.com/bugsearch/bug/CSCwo83751”] 25.2 (Sep 2025) Ultra Services Platform1 CSCwo83750 [“https://tools.cisco.com/bugsearch/bug/CSCwo83750”] No fix planned. Routing and Switching - Enterprise and Service Provider ASR 5000 Series Software (StarOS) and Ultra Packet Core1 CSCwo83806 [“https://tools.cisco.com/bugsearch/bug/CSCwo83806”] 2025.03 (Jul 2025) Cloud Native Broadband Network Gateway1 CSCwo83769 [“https://tools.cisco.com/bugsearch/bug/CSCwo83769”] 2025.03.1 (Aug 2025) iNode Manager CSCwo83755 [“https://tools.cisco.com/bugsearch/bug/CSCwo83755”] No fix planned.2 Optical Site Manager for Network Convergence System (NCS) 1000 Series1 CSCwo83800 [“https://tools.cisco.com/bugsearch/bug/CSCwo83800”] 25.2.1 (Jun 2025) 25.3.1 (Sep 2025) Shelf Virtualization Orchestrator Module for NCS 2000 Series1 CSCwo83774 [“https://tools.cisco.com/bugsearch/bug/CSCwo83774”] 25.1.1 (Jun 2025) Ultra Cloud Core - Access and Mobility Management Function1 CSCwo83785 [“https://tools.cisco.com/bugsearch/bug/CSCwo83785”] 2025.03.1 (Aug 2025) Ultra Cloud Core - Policy Control Function1 CSCwo83789 [“https://tools.cisco.com/bugsearch/bug/CSCwo83789”] 2025.03.1 (Aug 2025) Ultra Cloud Core - Redundancy Configuration Manager1 CSCwo83753 [“https://tools.cisco.com/bugsearch/bug/CSCwo83753”] 2025.03.1 (Aug 2025) Ultra Cloud Core - Session Management Function1 CSCwo83775 [“https://tools.cisco.com/bugsearch/bug/CSCwo83775”] 2025.03.1 (Aug 2025) Ultra Cloud Core - Subscriber Microservices Infrastructure1 CSCwo83747 [“https://tools.cisco.com/bugsearch/bug/CSCwo83747”] 2025.03.1 (Aug 2025) Unified Computing Enterprise NFV Infrastructure Software (NFVIS)1 CSCwo83758 [“https://tools.cisco.com/bugsearch/bug/CSCwo83758”] 4.18 (Aug 2025) Routing and Switching - Small Business Small Business RV Series Routers RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P CSCwo83803 [“https://tools.cisco.com/bugsearch/bug/CSCwo83803”] CSCwo83767 [“https://tools.cisco.com/bugsearch/bug/CSCwo83767”] No fix planned.3

  1. While these products are vulnerable because they accept unauthenticated channel request messages, due to the product configuration they are not vulnerable to RCE.
  2. iNode Manager has reached end of software maintenance. End-of-Sale and End-of-Life Announcement for the Cisco iNode Manager & Intelligent Node Local Control Software [“https://www.cisco.com/c/en/us/products/collateral/video/gs7000-node/inode-manager-intel-node-eol.html”].
  3. These routers have reached end of software maintenance. End-of-Sale and End-of-Life Announcement for the Cisco RV 160, RV260, RV345P, RV340W, RV260W, RV260P and RV160W VPN Routers [“https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-2655972.html”].

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Release / Product First Fixed Release Notes
1.11 Vulnerability added to CISA KEV.
1.10 Updated product lists and statuses. Changed the advisory status to Final.
1.9 Updated product lists and statuses.
1.8 Updated product lists and statuses.
1.7 Updated product lists and statuses.
1.6 Updated product lists and statuses.
1.5 Updated product lists and statuses.
1.4 Updated product lists and statuses.
1.3 Updated product lists and statuses.
1.2 Updated product lists and statuses.
1.1 Updated product lists and statuses.
1.0 Initial public release.

Workarounds 🧯

Any workarounds will be documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products ["#vp"] section of this advisory.

Risk in context 🎯

Use vendor CVSS for prioritization. Consider exposure and asset criticality.

Fast facts ⚡

  • Advisory: cisco-sa-erlang-otp-ssh-xyZZy
  • Initial release: 2025-04-22T21:45:00 UTC
  • Last updated: 2025-06-11T14:40:37 UTC

For leadership 🧭

Executive summary. Risk is Critical (CVSS 10.0) for Cisco, Cisco ASR 5000 Series Software. Vendor fixes are available; prioritize upgrade within 48–72 hours based on environment risk.

Why it matters (exposure drivers):

  • Potential service impact and security exposure depend on deployment topology and access paths.
  • Treat internet-exposed or multi-tenant management nodes as higher risk.
  • Ensure monitoring for abnormal auth/config events until upgrades complete.

Remediation & timing:

  • Upgrade to the first fixed release per the table above; schedule an approved change window within 48–72 hours.
  • Change risk: low-to-moderate (standard vendor patch). Validate backups and rollback plan.

Now / Next / Later:

  • Now: Confirm exposure, identify affected versions, and enable monitoring/alerts.
  • Next: Patch according to the fixed software table; verify service health post-change.
  • Later: Add control checks to build pipeline/CMDB to block drift to vulnerable trains.