Security researchers addressed a high-impact vulnerability in the Secure Shell service of Erlang’s Open Telecom Platform (OTP). Though the vulnerability was patched in April 2025, subsequent months have seen active exploitation in the wild, with the brunt of the incidents falling on operational technology (OT) infrastructure.
The vulnerability, tracked as CVE-2025-32433 and rated the maximum CVSS 10.0, stems from a missing authentication check in OTP’s native SSH implementation. The bug allowed anyone with network access to execute arbitrary code on a vulnerable server without credentials. Once inside, attackers have been deploying reverse shells, enabling them to maintain remote, covert access to target networks. While no group has been formally linked to the campaign, researchers say the attack patterns show short, high-intensity bursts aimed at both IT and industrial service ports.
Investigators found that the attackers’ activity came in sharp, concentrated bursts rather than in a steady stream, pointing to focused campaigns instead of random scanning. Notably, the most intense surges often coincided with operational technology–specific events, which on some days made up more than 80 percent of all detections.
Patches were issued on April 17 in OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Despite that, exploitation attempts surfaced as early as May, according to Palo Alto Networks’ Unit 42. In June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog, confirming in-the-wild attacks.
“Erlang/OTP’s SSH service handles encrypted connections, file transfers, and command execution,” Unit 42 researchers noted. “A flaw in this layer opens the door for attackers to take complete control of a system.”
Palo Alto Networks’ Unit 42 reports that exploitation began within weeks of the April 17, 2025 patch release, with significant activity detected between May 1–9. Approximately 70% of confirmed exploit signatures originated from firewalls protecting OT environments. Healthcare, high technology, agriculture, and education sectors were among the most affected, with incidents recorded in the U.S., Japan, Brazil, India, Canada, and Australia. Notably, Japan reported over 99% of triggers within OT networks, while the U.S. logged the highest absolute incident volume.
This level of exposure across industrial ports represents a global attack surface that adversaries are clearly willing to exploit,” Unit 42 said.
Organizations are strongly urged to:
- Upgrade to patched versions OTP 27.3.3 / 26.2.5.11 / 25.3.2.20 or later.
- Apply network-level restrictions to limit SSH access to trusted IP ranges.
- Monitor for anomalous DNS queries and unexpected outbound connections.
- Update intrusion prevention and endpoint detection signatures to include CVE-2025-32433 patterns.
With active exploitation confirmed, and attackers employing advanced persistence and reconnaissance methods, this vulnerability highlights the growing convergence of IT and OT risks. In a threat landscape where industrial networks are no longer isolated, even a single unpatched component can act as the breach point for large-scale operational disruption.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
