CVE-2025-32433
Published: 16 April 2025
Summary
CVE-2025-32433 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cisco Network Services Orchestrator. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Erlang/OTP is a set of libraries for the Erlang programming language that includes an SSH server implementation. CVE-2025-32433 is a missing authentication vulnerability (CWE-306) in SSH protocol message handling that affects all releases prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. The flaw permits unauthenticated remote code execution with a CVSS score of 10.0.
An attacker with network access to the SSH service can send specially crafted protocol messages to bypass authentication entirely, gaining the ability to execute arbitrary commands on the underlying system with the privileges of the SSH server process. No valid credentials are required, and the attack can be carried out remotely without user interaction.
Official patches are available in the three versions listed above, and the project has published corresponding commits along with a GitHub security advisory. Recommended temporary workarounds are to disable the SSH server or restrict access through firewall rules. The associated EPSS score currently stands at 0.5932 with a recorded peak of 0.6285.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-11793
Vulnerability details
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message…
more
handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
- CWE(s)
- KEV Date Added
- 09 June 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication before allowing any commands to be processed by the SSH server, blocking the unauthenticated RCE path.
Requires successful identification and authentication prior to granting access to the SSH service, directly mitigating the missing-authentication flaw.
Enforces boundary protection (e.g., firewall rules) to block network access to the vulnerable SSH port when patching or disabling the service is not immediate.