CVE-2025-32433

설명

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

영향 제품·버전

공급사 Erlang

제품 Erlang/OTP

영향 버전 >= OTP-27.0-rc1, < OTP-27.3.3, >= OTP-26.0-rc1, < OTP-26.2.5.11, < OTP-25.3.2.20, < 25.3.2.20, >= 26.0 < 26.2.5.11, >= 27.0 < 27.3.3, < 7.7.19.1, >= 8.0.18 < 8.1.16.2, >= 8.2 < 8.2.11.1, >= 8.3 < 8.3.8.1, >= 8.4 < 8.4.4.1, < 5.7.19.1, >= 5.8 < 6.1.16.2, >= 6.2 < 6.2.11.1, >= 6.3 < 6.3.8.1, >= 6.4 < 6.4.1.1, >= 6.4.2 < 6.4.4.1, < 2025.03.1, < 25.2, < 2025.03

수정 버전 25.3.2.20, 26.2.5.11, 27.3.3, 7.7.19.1, 8.1.16.2, 8.2.11.1, 8.3.8.1, 8.4.4.1, 5.7.19.1, 6.1.16.2, 6.2.11.1, 6.3.8.1, 6.4.1.1, 6.4.4.1, 2025.03.1, 25.2, 2025.03, 25.2.1, 25.1.1, 4.18

조치 방법

• 공급사가 제공한 최신 보안 업데이트 적용
• 자사 보유 제품과 영향 버전의 일치 여부 확인
• 외부 노출 서비스와 비정상 인증·접속 로그 점검
• 패치가 어려우면 공급사 완화조치와 접근통제 적용

기술 정보

CVSS 벡터 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE CWE-306

KEV 등록일 2025.06.09

랜섬웨어 캠페인 사용 미확인

CISA 비고 This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2 ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy ; https://nvd.nist.gov/vuln/detail/CVE-2025-32433

EPSS 데이터 기준일 2026.06.27