Updated CISA vulnerabilities catalog adds critical Erlang/OTP SSH, Roundcube issues

Ongoing intrusions abusing a pair of critical bugs impacting the Erlang/Open Telecom Platform SSH and Roundcube webmail platforms have prompted their inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, with federal agencies recommended to remediate the issues by the end of the month, according to The Hacker News.

More severe of the newly added vulnerabilities is the maximum severity Erlang/OTP SSH server missing authentication bug, tracked as CVE-2025-32433, which could be leveraged to facilitate arbitrary command execution and eventual unauthenticated remote code execution, said CISA. On the other hand, malicious actors could exploit the critical Roundcube webmail software cross-site scripting flaw, tracked as CVE-2024-42009, to enable remote email theft and delivery. Additional details regarding the exploitation of both security defects were not provided. While Russian state-backed threat operation APT28 was reported to have used XSS flaws across several webmail servers, including Roundcube, its potential exploitation of CVE-2024-42009 remains uncertain.