Researchers have observed a significant increase in remote code execution (RCE) exploits targeting the Erlang/OTP SSH protocol, with 70% of these attacks aimed at operational technology (OT) firewalls.

Malicious actors have been exploiting a critical security flaw in the Erlang/Open Telecom Platform (OTP) SSH, identified as CVE-2025-32433, which has a CVSS score of 10.0. This vulnerability, a missing authentication issue, allows attackers with network access to execute arbitrary code on affected Erlang/OTP SSH servers without requiring credentials. The flaw was patched in April 2025 with updates to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. By June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. Research from Palo Alto Networks Unit 42 highlighted that over 85% of exploit attempts targeted sectors such as healthcare, agriculture, media and entertainment, and high technology across countries including the U.S., Canada, Brazil, India, and Australia.

The analysis revealed that attackers are employing reverse shells to gain unauthorised remote access to compromised networks following successful exploitation of CVE-2025-32433. The widespread exposure of this vulnerability on industrial-specific ports indicates a significant global attack surface across Operational Technology (OT) networks. Unit 42 noted that attackers are executing their exploits in short, high-intensity bursts, disproportionately targeting OT networks and attempting to access exposed services over both IT and industrial ports. The identity of the threat actors remains unknown, but the variance in attacks across affected industries underscores the urgent need for enhanced security measures.