The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two important security flaws affecting Erlang/Open Telecom Platform (OTP) SSH to its known exploited vulnerabilities (KEV) catalog based on evidence of active exploitation.
The vulnerabilities in question are listed below –
- CVE-2025-32433 (CVSS score: 10.0) – A lack of authentication for critical function vulnerabilities in Erlang/OTP SSH servers that allow attackers to execute arbitrary commands without valid credentials. (Fixed in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20 in April 2025)
- CVE-2024-42009 (CVSS score: 9.3) – A vulnerability in round cube webmail cross-site script (XSS) that exploits desertification issues in program/action/mail/show.php to allow remote attackers to steal and send victim emails via stolen email messages via stolen email messages. (Fixed in versions 1.6.8 and 1.5.8 in August 2024)
Currently there is no details on how the two vulnerabilities are being exploited in the wild and by whom. Last month, ESET revealed that a Russian-related threat actor known as APT28 has exploited several XSS flaws in Round Cube, Horde, Mdaemon and Zimbra, targeting Eastern European government agencies and defense companies. It is not clear whether CVE-2024-42009 abuse is related to this activity.
According to Censys data, there are 340 exposed Erlang servers, but we note that not all instances are necessarily susceptible to flaws. Public disclosure of CVE-2025-32433 was followed by the release of several proof of concept (POC) exploits soon after.
In light of aggressive exploitation, a Federal Private Enforcement Division (FCEB) agency is required to apply necessary modifications by June 30, 2025 for optimal protection.
The development allows attackers to seize control of users on the site without authentication as PatchStack flags the acquisition vulnerability of the unearned accounts of WordPress Payu CommercePro plugin (CVE-2025-31022, CVSS score: 9.8).
This can have serious consequences if an attacker can hijack an administrator account, take over the site and allow it to take malicious actions. The vulnerability affects versions 3.8.5 and earlier. The plugin has over 5,000 active installations.
The problem relates to a function called “update_cart_data()”. This is called from an endpoint named “/payu/v1/get-shipping-cost” which handles the e-commerce order of the provided email address, if so, whether it exists.
However, the endpoint checks for valid tokens linked to a hardcoded email address (“commerce.pro@payu(.)in”) and because there is another REST API to generate an authentication token for a given email (“/payu/v1/generate-user-token”), the attacker gets “a demerce.pro to adopt this behavior. “/Payu/v1/get-shipper-cost” hijacks any account.
Users are advised to disable and remove the plugin until a patch for the vulnerability is available.
“We need to make sure that unauthenticated REST API endpoints are not overly tolerated and provide more access to users,” PatchStack said. “We also do not recommend hardcoding sensitive or dynamic information such as email addresses that you use for other cases within your codebase.”
