How severe is CVE-2025-32433?

CVE-2025-32433 has a CVSS score of 10/10, rated CRITICAL. Immediate patching is strongly recommended.

Which packages are affected by CVE-2025-32433?

Affected package information for CVE-2025-32433 is not yet fully mapped. Check the official advisory links for details.

How do I fix CVE-2025-32433?

No fixed version has been published for CVE-2025-32433 yet. Monitor the advisory for updates, apply mitigations recommended by the vendor, and use O3 Security to track when a fix becomes available in your stack.

Is CVE-2025-32433 actively exploited in the wild?

Yes. There are 11 known exploit references for CVE-2025-32433, including . All exploit code should only be run in an isolated sandbox environment for research or authorized testing — never against production systems without explicit written authorization.

What is the EPSS score for CVE-2025-32433?

CVE-2025-32433 has an EPSS (Exploit Prediction Scoring System) score of 59.3%, placing it in the 98th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. A score above 50% indicates significantly elevated exploitation risk — immediate patching is strongly recommended.

Is CVE-2025-32433 in the CISA Known Exploited Vulnerabilities catalog?

Yes. CVE-2025-32433 (Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability) was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on 2025-06-09. CISA required all US federal civilian agencies to remediate this vulnerability by 2025-06-30. The required action was: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Being listed in the KEV catalog is the strongest possible confirmation of active exploitation — treat this as a critical priority.

When was CVE-2025-32433 published, and has it been updated?

CVE-2025-32433 was published on April 16, 2025 and was last updated on April 10, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

CISA KEV·Added 2025-06-09 — agencies required to remediate by 2025-06-30

CVE-2025-32433

CRITICAL

Erlang/OTP SSH Vulnerable to Pre-Authentication RCE

Also known asGHSA-37cp-fgq5-7wc2

Published

Apr 16, 2025

Updated

Apr 10, 2026

Affected

0 pkgs

Patched

None yet

Exploits

11 known

EPSS Exploitation Probability

via FIRST.org ↗

59.3%probability of exploitation in next 30 days

High Risk98th percentile-0.40%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Description

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

Exploits & PoCs

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

ProDefense/CVE-2025-32433

CVE-2025-32433 https://github.com/erlang/otp/security/advisories/GHSA-37

⭐ 142🍴 27May 2026

omer-efe-curkus/CVE-2025-32433-Erlang-OTP-SSH-RCE-PoC

The vulnerability allows an attacker with network access to an Erlang/OT

⭐ 15🍴 2Mar 2026

0xPThree/cve-2025-32433

⭐ 6🍴 1Apr 2026

NiteeshPujari/CVE-2025-32433-PoC

CVE-2025-32433 PoC: Unauthenticated Remote Code Execution (RCE) in Erlan

⭐ 6🍴 1Jan 2026

ekomsSavior/POC_CVE-2025-32433

⭐ 5🍴 2Apr 2026

m0usem0use/erl_mouse

python script to find vulnerable targets of CVE-2025-32433

⭐ 5🍴 2Sep 2025

exa-offsec/ssh_erlangotp_rce

Exploitation module for CVE-2025-32433 (Erlang/OTP)

⭐ 3🍴 1May 2025

darses/CVE-2025-32433

Security research on Erlang/OTP SSH CVE-2025-32433.

⭐ 3🍴 0Jan 2026

LemieOne/CVE-2025-32433

Missing Authentication for Critical Function (CWE-306)-Exploit

⭐ 3🍴 0Apr 2025

0x7556/CVE-2025-32433

CVE-2025-32433 Erlang/OTP SSH RCE Exploit SSH远程代码执行漏洞EXP

⭐ 3🍴 0Jun 2026

Frequently Asked Questions

O3 Security · Impact-Aware SCA

Is CVE-2025-32433 in your stack?

O3 detects CVE-2025-32433 across dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my stack How O3 SCA works

CVSS Score

10/10

CVSS v3 base score

Vector breakdown

AV:Attack Vector

Network

AC:Attack Complexity

Low

PR:Privileges Required

None

UI:User Interaction