On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog to include two high-severity flaws targeting the Erlang/OTP SSH server and the Roundcube webmail client.
This confirms that active exploitation is happening, and it’s a clear signal for government systems and any connected infrastructure to move quickly to reduce the risk.
The vulnerabilities in question are capable of enabling unauthenticated remote code execution (RCE) and cross-site scripting (XSS)-based email exfiltration, respectively. Their addition to the KEV list triggers a mandatory remediation timeline for federal civilian executive branch (FCEB) systems, with a compliance deadline of June 30, 2025.
However, for any organization managing distributed architectures or legacy messaging interfaces, these issues should be considered immediate priorities regardless of regulatory mandate.
Why It Matters: This is a reminder of how quickly exploit code can move from disclosure to weaponization, particularly in widely deployed or niche-adjacent services like Erlang’s SSH stack or Roundcube’s PHP mail viewer. While neither platform dominates today’s mainstream stack, their presence in telecom, embedded systems, and SME infrastructure means they often escape visibility until they’re already exploited.
The RCE vulnerability in Erlang is particularly concerning given its unauthenticated nature, while the Roundcube XSS flaw reflects a continuing trend of client-side injection attacks being used for credential harvesting and covert surveillance-tactics favored by advanced persistent threat (APT) groups.
- CVE-2025-32433 – Erlang/OTP SSH Vulnerability (CVSS 10.0): A critical logic flaw in Erlang’s SSH server permits remote code execution without authentication. This flaw, patched in April 2025 (OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20), enables adversaries to bypass login checks entirely and issue system-level commands. With PoC exploits already circulating, perimeter-facing Erlang instances, especially in telco or distributed compute environments, should be assumed vulnerable.
- CVE-2024-42009 – Roundcube Webmail XSS (CVSS 9.3): A reflected XSS vulnerability in mail/show.php allows attackers to trigger malicious script execution by delivering a specially crafted email to a target. Once triggered, it could exfiltrate email content or initiate actions on the user’s behalf. The issue was resolved in August 2024 (versions 1.6.8 and 1.5.8), but exploitation has continued.
- Compliance-Driven Deadline for Federal Systems: Agencies within the FCEB have until June 30, 2025 to apply mitigation or patching as part of Binding Operational Directive 22-01. While this directive applies only to U.S. government systems, organizations operating in adjacent sectors (e.g., defense contractors, telecom, healthcare) would be prudent to treat this deadline as best practice.
- Exploit Availability and Active Reconnaissance: Public proof-of-concept code has been released for the Erlang flaw, and Censys has identified over 300 potentially exposed instances. While this number may include false positives, the combination of confirmed exploitation and tool availability significantly elevates the operational risk.
- Related Vulnerability: WordPress Plugin Exploit: Separately, Patchstack has reported an unauthenticated account takeover vulnerability (CVE-2025-31022, CVSS 9.8) in the PayU CommercePro plugin, affecting versions 3.8.5 and earlier. Exploitation hinges on predictable token behavior tied to a hardcoded service email. Until a fix is released, organizations are advised to disable or remove the plugin entirely.
Go Deeper → CISA Adds Two Known Exploited Vulnerabilities to Catalog – CISA
