Malicious actors were taking advantage of the current patched critical security flaws that are already affecting Ellan/Open Telecom Platform (OTP) SSH by the beginning of May 2025, with around 70% of detections protecting operational technology (OT) networks that protect firewalls.
The vulnerability in question is CVE-2025-32433 (CVSS score: 10.0). This lacks authentication issues that could be abused by attackers by network access to an Arlang/OTP SSH server and running arbitrary code. Patches were applied in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20 in April 2025.
Then, in June 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added a flaw to its known exploited vulnerabilities (KEV) catalog based on evidence of active exploitation.
“At the heart of Erlang/OTP’s secure communication capabilities are native SSH implementations responsible for encrypted connections, file transfers and, most importantly, command execution,” said Palo Alto Networks Unit 42 researchers Adam Robbie, Yiheng AN, Malav Vyas, Cecilia Hu, Matthew Tennis, and Zhanhao Chen.
“This flaw in implementation allows attackers with network access to execute arbitrary code on vulnerable systems without the need for credentials, presenting direct and serious risks to exposed assets.”
An analysis of cybersecurity companies’ telemetry data revealed that over 85% of exploiting attempts primarily elected healthcare, agriculture, media, entertainment and high-tech sectors such as the US, Canada, Brazil, India and Australia.
The observed attack follows the successful exploitation of CVE-2025-32433 followed by threat actors using reverse shells to gain unauthorized remote access to the target network. It is currently unknown who is behind the efforts.
“This extensive exposure at this industry-specific port illustrates the important global attack surface of the entire OT network,” Unit 42 said. “Analyses of affected industries show the variance of attacks.”
“Attackers are trying to exploit vulnerabilities with short-term high-strength bursts. They are disproportionately targeting OT networks and trying to access exposed services in both IT and industrial ports.”
Source link
