BURSTA critical remote code execution vulnerability in Erlang/OTP’s SSH daemon has been actively exploited in the wild, with cybercriminals targeting operational technology networks across multiple industries.
CVE-2025-32433, carrying the maximum CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary commands on vulnerable systems by sending specially crafted SSH connection protocol messages to open SSH ports.
The vulnerability affects Erlang/OTP versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, impacting systems widely deployed in critical infrastructure environments.
Erlang’s Open Telecom Platform has long been trusted in telecommunications networks, financial systems, and industrial control environments due to its fault-tolerance and scalability capabilities.
The flaw stems from improper state enforcement in the SSH daemon, which fails to reject post-authentication messages before authentication completion, creating a significant attack surface.
Exploitation attempts targeting this vulnerability surged dramatically between May 1-9, 2025, with Palo Alto Networks researchers identifying over 3,376 signature triggers globally during this period.
Remarkably, approximately 70 percent of these detections originated from firewalls protecting operational technology networks, indicating a concentrated focus on critical infrastructure systems.
The geographic distribution revealed that countries with mature digital infrastructure, including the United States, Japan, and Brazil, experienced the highest volumes of exploitation attempts.
The attacks have disproportionately impacted industries including healthcare, agriculture, media and entertainment, and high technology sectors.
Analysis revealed that OT networks experienced 160 percent more exploitation attempts per device compared to traditional IT environments, suggesting either targeted reconnaissance of industrial systems or lateral movement from already compromised enterprise networks.
Advanced Payload Analysis and Attack Methodology
Security researchers have identified sophisticated attack payloads being deployed through CVE-2025-32433 exploitation attempts, revealing the technical sophistication of threat actors leveraging this vulnerability.
.webp)
Remote host redirect (Source – Palo Alto Networks)
The most commonly observed attack technique involves reverse shell implementations designed to establish persistent remote access to compromised systems.
.webp)
One prevalent payload variant creates TCP connections using file descriptors to bind directly to system shells, enabling interactive command execution over network connections.
The malicious code typically appears as:-
exec(fd,"/bin/sh",["/bin/sh"],environ)This approach allows attackers to maintain persistent access while evading traditional detection mechanisms.
A simpler but equally effective variant initiates reverse shells using Bash’s interactive mode, redirecting shell input and output directly to remote command-and-control servers.
These payloads often connect to suspicious infrastructure, including IP addresses like 146.103.40.203 operating on port 6667, commonly associated with botnet communications.
Particularly concerning is the use of DNS-based out-of-band application security testing techniques, where attackers trigger DNS lookups to randomized subdomains under domains like dns.outbound.watchtowr.com.
These stealthy validation methods allow threat actors to confirm successful code execution without generating obvious network traffic, making detection significantly more challenging for security teams monitoring affected environments.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
The post Erlang/OTP SSH RCE Vulnerability Exploited in the Wild to Attack Across OT Networks appeared first on Cyber Security News.