CISA Includes Erlang SSH and Roundcube Vulnerabilities in the Catalog of Known Exploited Threats

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two significant security vulnerabilities affecting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation.

The identified vulnerabilities are as follows:

– CVE-2025-32433 (CVSS score: 10.0) – This vulnerability pertains to a missing authentication for a critical function in the Erlang/OTP SSH server, enabling an attacker to execute arbitrary commands without valid credentials, which can result in unauthenticated remote code execution. This issue was addressed in April 2025 with the release of versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.

– CVE-2024-42009 (CVSS score: 9.3) – A cross-site scripting (XSS) vulnerability in RoundCube Webmail allows a remote attacker to seize and send emails from a victim by exploiting a desanitization issue in the program located at actions/mail/show.php. This vulnerability was resolved in August 2024 with the release of versions 1.6.8 and 1.5.8.

Details regarding the specific methods of exploitation for these vulnerabilities in the wild, including the identities of perpetrators, remain unclear. However, it has been noted that last month, a threat actor, known as APT28 and associated with Russia, was reported to have exploited several XSS flaws in Roundcube, Horde, MDaemon, and Zimbra, specifically targeting governmental entities and defense organizations in Eastern Europe. It is uncertain if CVE-2024-42009 is connected to these activities.

Data sourced from Censys indicates that there are approximately 340 exposed Erlang servers, although not all instances may be vulnerable to the identified flaw. Following the public disclosure of CVE-2025-32433, multiple proof-of-concept (PoC) exploits have emerged.

Given the ongoing risk of exploitation, Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the necessary patches by June 30, 2025, to ensure optimal protection.

In a related matter, Patchstack has highlighted an unpatched account takeover vulnerability within the PayU CommercePro plugin for WordPress (CVE-2025-31022, CVSS score: 9.8). This vulnerability enables an attacker to gain control of any user account on a site without authentication, posing a severe threat, particularly if an administrator account is compromised. The vulnerability impacts versions 3.8.5 and earlier, with the plugin being active in over 5,000 installations.

The root of the issue lies in the “updatecartdata()” function, which is triggered via an endpoint that verifies if a specified email address exists and subsequently processes e-commerce orders for checkout.

However, because the endpoint verifies a valid token associated with a hard-coded email address (“commerce.pro@payu[.]in”), while another REST API endpoint facilitates the generation of an authentication token for a given email, this behavior can be exploited. An attacker might retrieve the token for “commerce.pro@payu[.]in” and make unauthorized requests to hijack various accounts.

Users are strongly advised to disable and remove the plugin until an official patch is available to address the vulnerability.

Patchstack emphasizes the need for stringent controls on unauthenticated REST API endpoints to prevent excessive user access and discourages the hard-coding of sensitive information, such as email addresses, to mitigate future risks.