CVE-2025-48041 is a high-severity vulnerability affecting the Erlang Open Telecom Platform (OTP), specifically within the ssh_sftp modules of the OTP ssh implementation. The vulnerability is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption). It allows an attacker to cause excessive resource allocation and flooding by exploiting the ssh_sftp server component (lib/ssh/src/ssh_sftpd.erl). This can lead to denial of service conditions by exhausting system resources such as memory or CPU, potentially impacting the availability of services relying on Erlang OTP's SSH server. The affected versions span a wide range of OTP releases, from OTP 17.0 through OTP 28.0.3, including specific patch versions 27.3.4.3 and 26.2.5.15, and ssh versions from 3.0.1 up to 5.3.3 and related sub-versions. The vulnerability does not require user interaction or authentication but does require low privileges (PR:L), meaning an attacker with some level of access can exploit it remotely (AV:N). The CVSS v4.0 score is 7.1, reflecting high severity due to the potential for high impact on availability without the need for user interaction or complex attack conditions. No known exploits are currently reported in the wild, and no patches are linked in the provided data, suggesting that organizations should prioritize monitoring and mitigation efforts. The root cause is the lack of proper limits or throttling on resource allocation within the ssh_sftp server, allowing attackers to flood the service and degrade or deny legitimate access.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Erlang OTP for critical infrastructure, telecommunications, or backend services that utilize SSH and SFTP for secure file transfers and remote management. Exploitation could lead to denial of service, disrupting business operations, causing downtime, and potentially affecting service level agreements (SLAs). Organizations in sectors such as telecommunications, finance, and government, which often deploy Erlang-based systems for their robustness and concurrency capabilities, may face operational interruptions. Additionally, the resource exhaustion could be leveraged as part of a broader attack strategy to distract or degrade defenses while other attacks are conducted. The lack of authentication requirement for exploitation increases the risk surface, as attackers can initiate flooding remotely. Given the widespread use of Erlang OTP in European telecom infrastructure and backend systems, the threat could affect a broad range of enterprises and service providers, potentially impacting end-users and customers.

1. Immediate mitigation should include monitoring and limiting incoming SSH/SFTP connections to Erlang OTP servers, employing network-level rate limiting and connection throttling to prevent flooding attacks. 2. Deploy application-layer controls to detect and block abnormal SSH/SFTP session behaviors indicative of resource exhaustion attempts. 3. Isolate Erlang OTP SSH services behind firewalls or intrusion prevention systems (IPS) configured to detect excessive resource usage patterns. 4. Apply strict access controls and network segmentation to limit exposure of vulnerable OTP SSH services to untrusted networks. 5. Since no patches are currently linked, organizations should engage with Erlang OTP maintainers or vendors for updates and apply patches promptly once available. 6. Implement resource quotas and limits at the operating system or container level to prevent a single service from exhausting system resources. 7. Conduct regular vulnerability scanning and penetration testing focused on SSH/SFTP services to identify potential exploitation attempts. 8. Maintain comprehensive logging and alerting on Erlang OTP SSH service resource usage to enable rapid detection and response.