PT-2025-20412 · Ericsson+4 · Erlang/Otp+4

Lambdafu

Published

2025-05-08

Updated

2025-10-30

CVE-2025-46712

CVSS v3.1

3.7

Low

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Erlang/OTP versions prior to OTP-27.3.4 Erlang/OTP versions prior to OTP-26.2.5.12 Erlang/OTP versions prior to OTP-25.3.2.21

Description The issue concerns Erlang/OTP SSH failing to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake.

Recommendations For versions prior to OTP-27.3.4, update to OTP-27.3.4 or later. For versions prior to OTP-26.2.5.12, update to OTP-26.2.5.12 or later. For versions prior to OTP-25.3.2.21, update to OTP-25.3.2.21 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-440

Related Identifiers

AZL-61744

AZL-61748

BDU:2025-13872

CVE-2025-46712

GHSA-934X-XQ38-HHQF

OESA-2025-1552

OESA-2025-1553

USN-7656-1

Affected Products

Debian

Erlang/Otp

Linuxmint

Red Os

Ubuntu

PT-2025-20412 · Ericsson+4 · Erlang/Otp+4

CVE-2025-46712

Weakness Enumeration

Related Identifiers

Affected Products

References · 31