CISA Adds Erlang SSH and Roundcube Flaws to Known Exploited Vulnerabilities Catalog

Jun 10, 2025Ravie LakshmananVulnerability / Cyber Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two critical security flaws impacting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities in question are listed below –

• CVE-2025-32433 (CVSS score: 10.0) – A missing authentication for a critical function vulnerability in the Erlang/OTP SSH server that could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution. (Fixed in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)
• CVE-2024-42009 (CVSS score: 9.3) – A cross-site scripting (XSS) vulnerability in RoundCube Webmail that could allow a remote attacker to steal and send emails of a victim via a crafted email message by taking advantage of a desanitization issue in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6.8 and 1.5.8)

There are currently no details on how the two vulnerabilities are exploited in the wild, and by whom. Last month, ESET revealed that the Russia-linked threat actor known as APT28 exploited several XSS flaws in Roundcube, Horde, MDaemon, and Zimbra to target governmental entities and defense companies in Eastern Europe. It’s not clear if the abuse of CVE-2024-42009 is related to this activity or something else.

According to data from Censys, there are 340 exposed Erlang servers, although it bears noting that not all instances are necessarily susceptible to the flaw. The public disclosure of CVE-2025-32433 has been quickly followed by the release of several proof-of-concept (PoC) exploits for it.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by June 30, 2025, for optimal protection.

The development comes as Patchstack flagged an unpatched account takeover vulnerability in the PayU CommercePro plugin for WordPress (CVE-2025-31022, CVSS score: 9.8) that enables an attacker to seize control of any user of a site without any authentication.

This can have serious consequences when the attacker is able to hijack an administrator account, permitting them to take over the site and perform malicious actions. The vulnerability affects versions 3.8.5 and before. The plugin has over 5,000 active installations.

The problem has to do with a function called “update_cart_data(),” which, in turn, is invoked from an endpoint named “/payu/v1/get-shipping-cost” that checks if a provided email address exists, and if so, processes the e-commerce order for checkout.

But because the endpoint checks for a valid token linked to a hard-coded email address (“commerce.pro@payu[.]in”) and there exists another REST API to generate an authentication token for a given email (“/payu/v1/generate-user-token”), an attacker could exploit this behavior to obtain the token corresponding to “commerce.pro@payu[.]in” and send a request to “/payu/v1/get-shipping-cost” and hijack any account.

Users are advised to deactivate and delete the plugin until a patch for the vulnerability is made available.

“It is necessary to ensure that the unauthenticated REST API endpoints are not overly permissive and provide more access to the users,” Patchstack said. “Also, hard-coding sensitive or dynamic information such as email addresses to use it for other cases inside the codebase is not recommended.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!