An Erlang/OTP vulnerability whose existence came to light in mid-April has been exploited in the wild, with many attacks apparently targeting operational technology (OT) networks.
Erlang/OTP is a collection of libraries, middleware and other tools designed for creating real-time systems that require high availability, such as banking, e-commerce, and communications applications.
Researchers discovered that Erlang/OTP’s SSH implementation is affected by a critical vulnerability that can allow arbitrary code execution in the context of the SSH daemon, which can potentially give an attacker full access to the host, enabling unauthorized access to and manipulation of sensitive data.
Tracked as CVE-2025-32433, the flaw impacts all unpatched SSH servers that leverage the Erlang/OTP SSH library, and systems used for remote access are particularly at risk.
The security hole has been patched with the release of OTP-27.3.3, OTP-26.2.5.11 and OTP-25.3.2.20. Earlier versions are affected.
The cybersecurity agency CISA added CVE-2025-32433 to its Known Exploited Vulnerabilities catalog on June 9, but there did not appear to be any public reports describing exploitation of the flaw.
On Monday, however, Palo Alto Networks published a blog post detailing exploitation attempts, which the cybersecurity giant has seen since May 1.
According to Palo Alto Networks, exploitation activity surged in May 1-9, with 70% of attacks observed by the company aimed at OT networks. A majority of the detections were seen in the United States.
“OT and 5G environments use Erlang/OTP due to its fault-tolerance and scalability for high availability systems with minimal downtime,” the security firm explained. “Due to compliance and safety requirements, OT and 5G administrators tend to use Erlang/OTP’s native SSH implementation to remotely manage hosts, which makes CVE-2025-32433 a particular concern in these types of networks.”
Palo Alto Networks has seen Erlang/OTP SSH services exposed on the internet through various ports, including TCP port 2222, which is often used for older industrial automation products.
Data collected by the company’s firewalls showed that 85% of the exploitation attempts were aimed at the healthcare, agriculture, media and entertainment, and high tech sectors.
“Despite high OT reliance, utilities and energy, mining, and aerospace and defense showed no direct OT triggers for this specific threat,” Palo Alto said. “Sectors like professional and legal services primarily saw triggers on their IT networks. Industries such as manufacturing, wholesale and retail, and financial services experienced more balanced detection across both IT and OT, necessitating integrated defenses.”
The company identified several malicious payloads that the attackers attempted to deliver through the exploitation of CVE-2025-32433, including reverse shells enabling unauthorized remote access.
In some cases researchers spotted the use of a remote host with a port commonly associated with servers used for botnet communications.
Scanning conducted by Palo Alto showed that hundreds of Erlang/OTP services present on industrial networks are exposed and vulnerable to attacks.
| Learn More at SecurityWeek’s ICS Cybersecurity Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.  October 27-30, 2025 | Atlanta www.icscybersecurityconference.com |
Related: Cisco Confirms Some Products Impacted by Critical Erlang/OTP Flaw
Related: Order Out of Chaos – Using Chaos Theory Encryption to Protect OT and IoT
Related: Honeywell Experion PKS Flaws Allow Manipulation of Industrial Processes
