Redazione RHC : 19 August 2025 08:46
Researchers recorded that a critical flaw in the Erlang/Open Telecom Platform SSH stack implementation began being actively exploited as early as early May 2025; approximately 70% of detections occurred on firewalls protecting industrial segments. The campaign began after the fixes were released: the patches appeared in April in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.
The vulnerability has been assigned the identifier CVE-2025-32433 and a maximum CVSS score of 10.0. It concerns the lack of authentication in the native SSH implementation: By having network access to the Erlang/OTP service, an attacker can execute arbitrary code without credentials. Considering that the built-in SSH is responsible not only for encrypted sessions, but also for file transfers and remote command execution, this flaw directly threatens all open instances.
In June 2025, CISA added CVE-2025-32433 to the KEV catalog, confirming the presence of public exploits. Palo Alto Networks Unit 42 analysts Adam Robbie, Yiheng An, Malaw Vyas, Cecilia Hu, Matthew Tennis, and Zhanghao Chen, point out that a flaw in this subsystem opens the door to passwordless exploits, making vulnerable nodes easy targets.
Telemetry shows that more than 85% of the attempts were made in the medical, agricultural, media, and high-tech sectors. The geographic scope is broad: the United States, Canada, Brazil, India, Australia, and other regions. Short bursts of intensive requests were observed, primarily targeting OT networks, with attackers attempting to reach both common IT ports and specialized industrial services.
Successful infiltrations used reverse shells to gain remote access and establish themselves within the victim’s infrastructure, after which they began reconnaissance, data exfiltration, and node-to-node movement. The identity of the group behind the wave has not yet been determined.
Services opened on ports common to industrial systems show that OT networks worldwide remain a massive attack surface. The nature of the attacks varies, but the general picture is the same: short periods of activity, a clear bias toward OT, and attempts to exploit both IT and industrial gateways, all of which suggest sophisticated offensive tactics aimed at rapidly detecting vulnerabilities before administrators can deploy updates.
Redazione