A critical remote code execution vulnerability has been discovered in Erlang/OTP’s SSH implementation, affecting versions prior to OTP-27.3.3, OTP-26.2.5.11 and OTP-25.3.2.20.
The vulnerability allows an unauthenticated attacker to execute arbitrary code on an affected system.
The vulnerability allows malicious actors to send connection protocol messages before authentication, resulting in an improperly handled authentication phase.
Patches have been released to address the vulnerability, and users are advised to update to the latest versions to prevent exploitation.
Given the widespread use of Erlang/OTP in telecoms and messaging applications, this vulnerability has the potential to impact a large number of organisations and services, thus making this issue extremely dangerous and posing a massive cyber risk.
Organisations are advised to mitigate risk by ensuring upgrades are promptly applied and prioritise cybersecurity fundamentals, including reducing connectivity, employing robust password policies, and continually monitoring for suspicious activity.