CVE-2025-32433: 
CBL Mariner vulnerability analysis and mitigation

On April 16, 2025, a critical vulnerability (CVE-2025-32433) was discovered in the Erlang/OTP SSH server implementation. The vulnerability allows an attacker with network access to execute arbitrary code without prior authentication. The affected versions include OTP-27.3.2 and prior, OTP-26.2.5.10 and prior, and OTP-25.3.2.19 and prior. The vulnerability has been assigned a CVSSv3 score of 10.0 (Critical) (GitHub Advisory, NVD).

The vulnerability stems from a flaw in the SSH protocol message handling which allows an attacker to send connection protocol messages prior to authentication. According to the researchers, the server does not properly check the current protocol stage when receiving messages from the connection protocol, allowing clients to send SSHMSGCHANNELOPEN and SSHMSGCHANNELREQUEST messages during the transport layer's handshake. This enables execution of arbitrary commands without valid credentials. The vulnerability was discovered using state machine learning to infer the state machine of the Erlang/OTP SSH server through interaction (OpenWall, OpenWall).

Successful exploitation of this vulnerability allows attackers to execute arbitrary code in the context of the SSH daemon. If the SSH daemon is running with elevated privileges (such as root), attackers can gain full control of the affected device. This could result in unauthorized access to sensitive data, manipulation of system resources by third parties, or denial-of-service attacks. The vulnerability is particularly concerning as Erlang is widely used in networking equipment that forms the backbone of the internet, and SSH is used to establish secure connections on the control plane managing many of those devices (Arctic Wolf).

The vulnerability has been patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Users are strongly advised to upgrade to these fixed versions. For users unable to immediately upgrade, temporary workarounds include either disabling the SSH server or implementing firewall rules to restrict access to the vulnerable SSH service. The fix implemented by the Erlang/OTP team involves checking whether the client is authenticated when receiving connection protocol messages and disconnecting if this is not the case (GitHub Advisory, OpenWall).

The security community has expressed significant concern about this vulnerability, particularly due to its critical severity and ease of exploitation. The Horizon3 Attack Team posted on X (formerly Twitter) about successfully reproducing the vulnerability, warning that public exploits would likely emerge soon. Security researchers have noted that the vulnerability's exploitation was surprisingly easy to achieve, with one researcher successfully creating a PoC using AI assistance, raising discussions about the implications of AI in vulnerability research (Help Net Security).