CVE-2025-32433 — CRITICAL (10.0)

Q: How severe is CVE-2025-32433?

CVE-2025-32433 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2025-32433?

Check the references section above for vendor advisories and patch information. Affected products include: Erlang Erlang\/Otp, Cisco Confd Basic, Cisco Network Services Orchestrator, Cisco Cloud Native Broadband Network Gateway, Cisco Inode Manager.

Vulnerability Description

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Erlang	Erlang\/Otp	< 25.3.2.20
Cisco	Confd Basic	< 7.7.19.1
Cisco	Network Services Orchestrator	< 5.7.19.1
Cisco	Cloud Native Broadband Network Gateway	< 2025.03.1
Cisco	Inode Manager	-
Cisco	Smart Phy	< 25.2
Cisco	Ultra Packet Core	< 2025.03
Cisco	Ultra Services Platform	-
Cisco	Staros	< 2025.03
Cisco	Optical Site Manager	< 25.2.1
Cisco	Ncs 1001	-
Cisco	Ncs 1002	-
Cisco	Ncs 1004	-
Cisco	Ncs 2000 Shelf Virtualization Orchestrator Firmware	< 25.1.1
Cisco	Ncs 2000 Shelf Virtualization Orchestrator Module	-
Cisco	Enterprise Nfv Infrastructure Software	< 4.18
Cisco	Ultra Cloud Core	< 2025.03.1
Cisco	Rv160W Firmware	-
Cisco	Rv160W	-
Cisco	Rv260 Firmware	-

Related Weaknesses (CWE)

CWE-306

References

https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12Patch
https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892fPatch
https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891Patch
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/16/2Mailing List
http://www.openwall.com/lists/oss-security/2025/04/18/1Mailing List
http://www.openwall.com/lists/oss-security/2025/04/18/2Mailing List
http://www.openwall.com/lists/oss-security/2025/04/18/6Mailing List
http://www.openwall.com/lists/oss-security/2025/04/19/1Mailing List
https://lists.debian.org/debian-lts-announce/2025/04/msg00028.htmlThird Party Advisory
https://security.netapp.com/advisory/ntap-20250425-0001/Third Party Advisory
https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.pyExploit
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciThird Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-US Government Resource

FAQ

What is CVE-2025-32433?

CVE-2025-32433 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remo...

How severe is CVE-2025-32433?

CVE-2025-32433 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-32433?

Check the references section above for vendor advisories and patch information. Affected products include: Erlang Erlang\/Otp, Cisco Confd Basic, Cisco Network Services Orchestrator, Cisco Cloud Native Broadband Network Gateway, Cisco Inode Manager.