cbcvebase.
CVE-2025-46712
published 2025-05-08

CVE-2025-46712: Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and…

PriorityP415low3.7CVSS 3.1
AVNACHPRNUINSUCNILAN
EPSS
0.44%
35.3th percentile
Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25).

Affected

8 ranges
VendorProductVersion rangeFixed in
debianerlang< erlang 1:25.2.3+dfsg-1+deb12u2 (bookworm)erlang 1:25.2.3+dfsg-1+deb12u2 (bookworm)
erlangotp< OTP 25.3.2.21OTP 25.3.2.21
erlangotp
erlangotp
msrcazl3_erlang_26.2.5.11-1_on_azure_linux_3.0
msrcazl3_erlang_26.2.5.12-1_on_azure_linux_3.0
msrccbl2_erlang_25.3.2.20-1_on_cbl_mariner_2.0
msrccm2_erlang_25.3.2.21-1_on_cbl_mariner_2.0

CVSS provenance

nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
osv3.7LOW
vendor_debian3.7LOW
vendor_msrc3.7LOW
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.