Critical Infrastructure Security,
Governance & Risk Management,
Operational Technology (OT)
Surge in Attacks Targeting Operational Technology Networks
Researchers report a notable surge in exploitation attempts against a critical vulnerability in the Erlang/OTP runtime system, prevalent in operational technology settings. The spike followed the release of a patch by the open-source maintainers of the Erlang/OTP project.
Unit 42 at Palo Alto Networks indicated that two weeks after the vulnerability was disclosed in mid-April, there was a “significant increase” in attacks targeting this flaw. Data collected between May 1 and May 9 revealed that 70% of exploitation activities originated from firewalls protecting operational technology networks.
Identified as CVE-2025-32433 with a critical CVSS score of 10, this vulnerability allows attackers to assume complete control over systems due to a flaw in the Erlang secure shell’s messaging process. Researchers from the University of Bochum discovered that commands could be sent to the embedded secure shell before the server validated the connection request.
In an April disclosure, the academics cautioned that if the SSH daemon is executed as root, attackers could gain unrestricted access to the device. Following this, the Erlang project released patches and informed users that all those employing the Erlang/OTP SSH server were at risk. A proof of concept exploit was published shortly after, and the U.S. Cybersecurity and Infrastructure Security Agency included this vulnerability in its catalog of known exploited vulnerabilities on June 9.
Originally designed for telecommunications, Erlang/OTP combines the Erlang programming language with the Open Telecom Platform, a robust set of tools for creating scalable, fault-tolerant, distributed systems. Its applications have since expanded into various sectors including industrial and financial services, necessitating real-time processing capabilities.
Unit 42 highlighted that the healthcare, agricultural, media, and high-tech industries were primarily targeted, with the education sector experiencing a disproportionate number of exploitation attempts. This observation challenges the prevailing notion that risks associated with operational technology are solely confined to industrial control systems or manufacturing.
Despite their heavy reliance on operational technology devices, sectors such as utilities, mining, aerospace, and defense showed limited direct activity related to this particular vulnerability. Attackers employed out-of-band application security testing techniques, using payloads that invoked domain name service lookups for randomly generated subdomains under dns.outbound.watchtowr.
Internet scans indicated that Erlang/OTP services were widely exposed across industrial networks, often revealing TCP port 2222, which is significant as it is also utilized for transferring application-specific, low-latency data through the EtherNet/IP protocol. Consequently, attackers probing for vulnerable Erlang services could potentially infiltrate operational technology environments, especially where network segmentation lacks effectiveness.
April Lenhard, a principal product manager at Qualys, noted that by the time breaches are identified, attackers may have already infiltrated the network through other vectors and subsequently moved laterally towards operational technology systems. This underscores the necessity for robust cybersecurity measures that address the convergence of IT and OT systems to safeguard critical infrastructure across various industries.
