The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two critical security flaws impacting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities in question are listed below – CVE-2025-32433 (CVSS score: 10.0) – A missing authentication for a critical function vulnerability in the Erlang/OTP SSH server that could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution. (Fixed in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20) CVE-2024-42009 (CVSS score: 9.3) – A cross-site scripting (XSS) vulnerability in RoundCube Webmail that could allow a remote attacker to steal and send emails of a victim via a crafted email message by taking advantage of a desanitization issue in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6.8 and 1.5.8) There are currently no details on how the two vulnerabilities are exploited in the wild, and by whom. Last month, ESET revealed that the Russia-linked threat actor known as APT28 exploited several XSS flaws in Roundcube, Horde, MDaemon, and Zimbra to target governmental entities and defense companies in Eastern Europe. It's not clear if the abuse of CVE-2024-42009 is related to this activity or something else. According to data from Censys, there are 340 exposed Erlang servers, although…Read More