Geographically, the exploitation footprint spanned Japan, the US, the Netherlands, Ireland, Brazil, and Ecuador, with some regions seeing 100% of detected attacks targeting OT environments.
“The real danger with CVE-2025-32433 is that it’s not just an IT vulnerability: it is disproportionately affecting operational technology (OT) networks, and it’s already actively showing up in systems tied to critical infrastructure,” said April Lenhard, principal product manager at Qualys. “Most known compromises involve OT assets that control physical processes like robotics, pumps, valves, or even safety systems. Exploitation could alter sensor readings, trigger outages, introduce safety risks, and cause physical damage.”
Flawed SSH logic led to RCE
The root of the problem lies in Erlang/OTP’s SSH daemon improperly processing certain secure shell (SSH) protocol messages, like ‘SSH_MSG_CHANNEL_OPEN’ and ‘SSH_MSG_CHANNEL_REQUEST’, before authentication completes. Under normal conditions, such messages should be rejected until after valid credentials are confirmed. Instead, OTP’s SSH server treats them as legitimate, enabling unauthenticated remote code execution.
