Cyber Resilience

CVE-2025-32433

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 16 April 2025

Published
16 April 2025
Modified
04 November 2025
KEV Added
09 June 2025
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.6261 98.4th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32433 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cisco Network Services Orchestrator. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Erlang/OTP is a set of libraries for the Erlang programming language that includes an SSH server implementation. CVE-2025-32433 is a missing authentication vulnerability (CWE-306) in SSH protocol message handling that affects all releases prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. The flaw permits unauthenticated remote code execution with a CVSS score of 10.0.

An attacker with network access to the SSH service can send specially crafted protocol messages to bypass authentication entirely, gaining the ability to execute arbitrary commands on the underlying system with the privileges of the SSH server process. No valid credentials are required, and the attack can be carried out remotely without user interaction.

Official patches are available in the three versions listed above, and the project has published corresponding commits along with a GitHub security advisory. Recommended temporary workarounds are to disable the SSH server or restrict access through firewall rules. The associated EPSS score currently stands at 0.5932 with a recorded peak of 0.6285.

EU & UK References

Vulnerability details

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message…

more

handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

CWE(s)
KEV Date Added
09 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

erlang
erlang\/otp
≤ 25.3.2.20 · 26.0 — 26.2.5.11 · 27.0 — 27.3.3
cisco
confd basic
≤ 7.7.19.1 · 8.0.18 — 8.1.16.2 · 8.2 — 8.2.11.1
cisco
network services orchestrator
≤ 5.7.19.1 · 5.8 — 6.1.16.2 · 6.2 — 6.2.11.1
cisco
cloud native broadband network gateway
≤ 2025.03.1
cisco
inode manager
all versions
cisco
smart phy
≤ 25.2
cisco
ultra packet core
≤ 2025.03
cisco
ultra services platform
all versions
cisco
staros
≤ 2025.03
cisco
optical site manager
≤ 25.2.1
+13 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication before allowing any commands to be processed by the SSH server, blocking the unauthenticated RCE path.

prevent

Requires successful identification and authentication prior to granting access to the SSH service, directly mitigating the missing-authentication flaw.

prevent

Enforces boundary protection (e.g., firewall rules) to block network access to the vulnerable SSH port when patching or disabling the service is not immediate.

References