A new report from cybersecurity researchers has revealed a worrying trend in the exploitation of a critical vulnerability in Erlang/Open Telecom Platform (OTP) SSH, with a staggering 70% of detected attacks targeting firewalls in operational technology (OT) networks. This surge in activity exploits a now-patched remote code execution (RCE) flaw, CVE-2025-32433, which received a maximum CVSS score of 10.0.
The vulnerability, which was patched in April 2025, allows attackers with network access to an Erlang/OTP SSH server to execute arbitrary code without needing any credentials. This is because the flawed implementation fails to properly reject certain protocol messages sent before the authentication phase of the SSH handshake. Threat actors are leveraging this to gain unauthorized remote access to systems, often using reverse shells to establish a foothold.
What makes this particularly alarming is the heavy focus on OT networks. Historically, these systems—which manage physical processes in critical infrastructure like power grids, manufacturing, and water treatment plants—were considered “air-gapped” and less exposed to internet-based threats. However, the increasing convergence of IT and OT networks has created a new and dangerous attack surface. The data shows that exploit attempts are happening in short, high-intensity bursts, disproportionately targeting firewalls that act as the gateway to these sensitive environments.
Researchers have observed that over 85% of exploit attempts have targeted sectors including healthcare, agriculture, media, and high technology across the U.S., Canada, Brazil, India, and Australia. The successful exploitation of this vulnerability in an OT environment could lead to severe consequences, including physical damage, disruption of essential services, and potential safety hazards. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in June 2025, underscoring the urgency for organizations to apply patches.
Despite the availability of patches since April, many systems remain vulnerable. The Erlang/OTP SSH library is often embedded in third-party products and is not automatically updated, requiring vendors and end-users to apply the fixes. For organizations that cannot patch immediately, temporary mitigations such as disabling the SSH server or restricting access with firewall rules are strongly recommended to protect against these ongoing and targeted attacks.
