Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild

    Tuesday, August 12, 2025 In: Threat Research Print

    Date: 08/12/2025

    Severity: Medium

    Summary

    The article analyzes CVE-2025-32433, a critical unauthenticated remote code execution (RCE) vulnerability in the SSH daemon of Erlang/OTP, widely used in critical infrastructure and operational technology (OT) networks. The flaw allows attackers to send unauthorized SSH protocol messages to execute commands without authentication. Exploitation activity spiked between May 1–9, 2025, with 70% of detections from firewalls in OT environments. The article includes technical validation, exploit trends, geographic distribution, and affected industries. Patches are available in OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://146.103.40.203:6667

    d09idt23pgl3db0en3dgeam6i45tpc6bg.dns.outbound.watchtowr.com

    d0a3qn23pglekp6ckgtge8xxfd14a8ouk.dns.outbound.watchtowr.com

    d0am3pi3pgl6h3t9mkp0qt3zn9p1izwso.dns.outbound.watchtowr.com

    dns.outbound.watchtowr.com

    IP Address

    146.103.40.203

    194.165.16.71

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "d0am3pi3pgl6h3t9mkp0qt3zn9p1izwso.dns.outbound.watchtowr.com" or siteurl like "d0am3pi3pgl6h3t9mkp0qt3zn9p1izwso.dns.outbound.watchtowr.com" or url like "d0am3pi3pgl6h3t9mkp0qt3zn9p1izwso.dns.outbound.watchtowr.com" or domainname like "d09idt23pgl3db0en3dgeam6i45tpc6bg.dns.outbound.watchtowr.com" or siteurl like "d09idt23pgl3db0en3dgeam6i45tpc6bg.dns.outbound.watchtowr.com" or url like "d09idt23pgl3db0en3dgeam6i45tpc6bg.dns.outbound.watchtowr.com" or domainname like "http://146.103.40.203:6667" or siteurl like "http://146.103.40.203:6667" or url like "http://146.103.40.203:6667" or domainname like "dns.outbound.watchtowr.com" or siteurl like "dns.outbound.watchtowr.com" or url like "dns.outbound.watchtowr.com" or domainname like "d0a3qn23pglekp6ckgtge8xxfd14a8ouk.dns.outbound.watchtowr.com" or siteurl like "d0a3qn23pglekp6ckgtge8xxfd14a8ouk.dns.outbound.watchtowr.com" or url like "d0a3qn23pglekp6ckgtge8xxfd14a8ouk.dns.outbound.watchtowr.com"

    Detection Query 2 : 

    dstipaddress IN ("194.165.16.71","146.103.40.203") or srcipaddress IN ("194.165.16.71","146.103.40.203")

    Reference:

    https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/  

    https://otx.alienvault.com/pulse/6899ee612cf2f3480da28d6e


    Tags

    VulnerabilityCritical InfrastructureCVE-2025Exploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.