The U.S. CISA has added critical vulnerabilities in Erlang/OTP SSH and Roundcube Webmail to its KEV catalog due to active exploitation risks. These flaws could allow remote command execution and email theft, posing significant threats to affected systems. #Erlang #Roundcube
Keypoints
- The vulnerabilities CVE-2025-32433 and CVE-2024-42009 are actively exploited and affect Erlang/OTP SSH and Roundcube Webmail respectively.
- CVE-2025-32433 allows unauthorized command execution due to missing authentication in Erlang/OTP SSH server.
- CVE-2024-42009 is a cross-site scripting flaw that enables email theft and manipulation in Roundcube.
- Federal agencies must apply the fixes for these vulnerabilities by June 30, 2025.
- An unpatched flaw in WordPressβs PayU plugin enables account takeover, affecting over 5,000 sites.
Read More: https://thehackernews.com/2025/06/cisa-adds-erlang-ssh-and-roundcube.html