TL;DR 📌

• On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device. The vulnerability is due to a flaw in the handling of SSH messages during the authentication phase. For a description of this vulnerability, see the Erlang announcement [“https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2”].
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-32433.

What happened 🕵️‍♂️

On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device.