On April 16, 2025, CVE-2025-32433 was disclosed—a critical remote code execution (RCE) vulnerability affecting the Erlang/OTP SSH implementation. With a CVSS score of 10.0, it enables unauthenticated attackers to execute arbitrary code via specially crafted SSH messages. This flaw is especially relevant in cloud-native environments where Erlang-based components such as RabbitMQ are used widely.

Technical Overview

The vulnerability resides in the ssh_connection:handle_msg/2 function and affects Erlang/OTP versions are all versions that are not OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Improper parsing of SSH handshake messages allows for memory corruption, which can be exploited to gain code execution privileges without authentication.

This vulnerability becomes particularly dangerous when the SSH daemon is exposed externally or to flat internal networks, especially in workloads that rely on distributed messaging or background control planes implemented in Erlang.

Affected Environments

The risk applies to deployments using:

• Erlang/OTP versions prior to: OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20
  
  In practice, this can affect environments such as:
  • RabbitMQ instances with SSH enabled
  • Internal Erlang-based services that expose SSH on default or unmonitored ports

In cloud environments, these workloads may be unintentionally exposed due to permissive security group rules, shared VPCs, or misconfigured ingress policies. If attackers can reach the SSH daemon, the vulnerability can be exploited remotely—no credentials or user interaction required.

When the Exploit Actually Works

While CVE-2025-32433 is severe, actual exploitability depends on environmental factors. Exploitation is only feasible if:

• A vulnerable Erlang/OTP version is running
• The SSH daemon is active and reachable over the network
• No additional controls restrict SSH access

Many environments meet these conditions unintentionally due to default service configurations, lack of runtime visibility, or network segmentation gaps.

What You Can Do Today

1. Upgrade to Erlang/OTP OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20 immediately.
2. If an upgrade isn’t possible:
   
   • Disable SSH if not in use
   • Enforce IP allowlisting or firewall rules to limit access
   • Monitor for unusual SSH payloads and connections

Where Sweet Steps In

1. LLM-Based Runtime Vulnerabilities Reprioritization That Understands Exploitability

• Sweet’s vulnerability engine continuously analyzes each workload in your environment to determine not just whether it contains a vulnerable package, but whether that vulnerability is realistically exploitable based on runtime signals.
  ‍
  For CVE-2025-32433, Sweet checks:

• Is a vulnerable Erlang/OTP version present according to Sweet’s SBOM?
• Is the SSH daemon running?
• Is it exposed to inbound network traffic?
  
  This context-based reprioritization helps security teams focus their efforts on workloads with clear signs of exposure, while considering lower urgency for others where exploitation appears unlikely and compensating controls are in place.
  ‍

How we separate noise from real risk—Read the blog.‍

‍

2. Storytelling-Based Detection and Response

• If signs of exploitation occur, Sweet’s detection engine correlates activity across the cloud, workload, and application layers to surface actionable incidents.
  
  Using Sweet’s baseline mechanism, the platform not only detects exploitation attempts through unfamiliar SSH connections, but also identifies any new or unusual activity — such as previously unseen processes that may indicate post-exploitation behavior.
  
  For example, if an unknown IP initiates an SSH connection to a vulnerable Erlang workload, Sweet flags it as a potential exploit attempt — including whether the attempt was successful or failed. If outbound traffic or privilege escalation is detected as well, the incident is escalated and mapped into a structured narrative that shows:
  
  
  • Initial access vector
  • Exploit execution
  • Affected process and its context
  • External communication

            This enables fast triage and root cause identification, without needing to manually pivot across logs and sensors.

‍

How we connect the dots for the best detections - Read the blog 

‍

Key Takeaways

CVE-2025-32433 represents a worst-case combination: unauthenticated remote code execution, core components, and a small footprint for detection. But exploitation still depends on conditions your environment may or may not meet.

Sweet helps close that gap. By validating exploitability, correlating activity across layers, and narrating attacks in real time, we help your team understand where the risk is actionable—and prioritize response effectively when patching timelines are constrained.

Want to see how Sweet detects, prioritizes, and responds to vulnerabilities like CVE-2025-32433—live and in action?

‍Book a demo and see it in your own environment.