CVE-2025-48039 is a vulnerability identified in the Erlang Open Telecom Platform (OTP), specifically within the ssh_sftp modules of the OTP ssh implementation. The root cause is an allocation of resources without proper limits or throttling, classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption). This flaw allows an attacker to cause excessive allocation of resources or resource leaks by exploiting the ssh_sftp daemon (ssh_sftpd.erl) component. The vulnerability affects a broad range of OTP versions, from 17.0 through 28.0.3, including specific patch versions such as 27.3.4.3 and 26.2.5.15, and ssh package versions from 3.0.1 up to 5.3.3 and related sub-versions. The vulnerability is remotely exploitable over the network without requiring user interaction or elevated privileges, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N). The CVSS v4.0 base score is 5.3, categorizing it as medium severity. The impact primarily involves resource exhaustion, which could degrade system performance or cause denial of service (DoS) conditions by exhausting memory or other critical resources. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that remediation may still be pending or in progress. The vulnerability is significant because Erlang OTP is widely used in telecommunications, distributed systems, and backend services, where ssh is a critical component for secure remote management and file transfer. Improper resource allocation in ssh_sftp could lead to service disruption or potential cascading failures in dependent systems.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Erlang OTP in critical infrastructure, telecommunications, or enterprise backend systems. Resource exhaustion attacks could lead to denial of service, disrupting business operations, customer services, or internal communications. Given the ssh_sftp module's role in secure file transfers, exploitation could also indirectly affect data availability and operational continuity. Organizations operating large-scale distributed systems or telecom networks using Erlang OTP are at higher risk of service degradation or outages. Furthermore, the medium severity rating suggests that while the vulnerability may not directly lead to data breaches or privilege escalation, the resulting service interruptions could have financial and reputational consequences. The lack of user interaction and low attack complexity means attackers could automate exploitation attempts, increasing the risk of widespread impact if the vulnerability is not mitigated promptly.

European organizations should implement the following specific mitigations: 1) Immediate inventory and identification of all systems running affected Erlang OTP versions, especially those exposing ssh_sftp services. 2) Apply vendor patches or updates as soon as they become available; if patches are not yet released, consider temporary mitigations such as limiting ssh_sftp service exposure via network segmentation or firewall rules to restrict access to trusted hosts only. 3) Implement resource usage monitoring and alerting on ssh_sftp processes to detect abnormal resource consumption early. 4) Employ rate limiting or connection throttling at the network or application layer to prevent excessive resource allocation attempts. 5) Review and harden ssh_sftp configuration parameters to minimize resource usage and enforce limits where possible. 6) Conduct penetration testing and vulnerability scanning focused on ssh_sftp modules to proactively identify exploitation attempts. 7) Maintain up-to-date incident response plans to quickly address potential denial of service incidents stemming from this vulnerability.