Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-32433

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

Security Impact Summary

This vulnerability carries a CRITICAL severity rating with a CVSS v3.1 score of 10.0, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 36 products from erlang, from cisco, from cisco and 33 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2025, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2025-04-16T22:15:14.373

Last Modified

2025-11-04T14:49:05.177

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 10.0 (CRITICAL)

Weaknesses
  • Type: Secondary
    CWE-306
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application erlang erlang\/otp < 25.3.2.20 Yes
Application erlang erlang\/otp < 26.2.5.11 Yes
Application erlang erlang\/otp < 27.3.3 Yes
Application cisco confd_basic < 7.7.19.1 Yes
Application cisco confd_basic < 8.1.16.2 Yes
Application cisco confd_basic < 8.2.11.1 Yes
Application cisco confd_basic < 8.3.8.1 Yes
Application cisco confd_basic < 8.4.4.1 Yes
Application cisco network_services_orchestrator < 5.7.19.1 Yes
Application cisco network_services_orchestrator < 6.1.16.2 Yes
Application cisco network_services_orchestrator < 6.2.11.1 Yes
Application cisco network_services_orchestrator < 6.3.8.1 Yes
Application cisco network_services_orchestrator < 6.4.1.1 Yes
Application cisco network_services_orchestrator < 6.4.4.1 Yes
Application cisco cloud_native_broadband_network_gateway < 2025.03.1 Yes
Application cisco inode_manager - Yes
Application cisco smart_phy < 25.2 Yes
Application cisco ultra_packet_core < 2025.03 Yes
Application cisco ultra_services_platform - Yes
Operating System cisco staros < 2025.03 Yes
Application cisco optical_site_manager < 25.2.1 Yes
Hardware cisco ncs_1001 - No
Hardware cisco ncs_1002 - No
Hardware cisco ncs_1004 - No
Operating System cisco ncs_2000_shelf_virtualization_orchestrator_firmware < 25.1.1 Yes
Hardware cisco ncs_2000_shelf_virtualization_orchestrator_module - No
Application cisco enterprise_nfv_infrastructure_software < 4.18 Yes
Application cisco ultra_cloud_core < 2025.03.1 Yes
Operating System cisco rv160w_firmware - Yes
Hardware cisco rv160w - No
Operating System cisco rv260_firmware - Yes
Hardware cisco rv260 - No
Operating System cisco rv160_firmware - Yes
Hardware cisco rv160 - No
Operating System cisco rv260p_firmware - Yes
Hardware cisco rv260p - No
Operating System cisco rv260w_firmware - Yes
Hardware cisco rv260w - No
Operating System cisco rv340_firmware - Yes
Hardware cisco rv340 - No
Operating System cisco rv340w_firmware - Yes
Hardware cisco rv340w - No
Operating System cisco rv345_firmware - Yes
Hardware cisco rv345 - No
Operating System cisco rv345p_firmware - Yes
Hardware cisco rv345p - No
Operating System debian debian_linux 11.0 Yes
References

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For erlang's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.