OTP SSH — CVE-2025-32433

Overview

A critical vulnerability exists in the Erlang/OTP SSH server enabling unauthenticated remote code execution. The SSH implementation processes certain message types like channel_request "before authentication was complete" - violating RFC 4252 Section 6.

Attack Vector

An attacker can:

Establish a TCP connection to the SSH server
Send valid SSH_MSG_KEXINIT message
Skip authentication entirely
Send a channel_request with exec containing arbitrary Erlang code for evaluation

This leads to unauthenticated RCE as the payload reaches Erlang's evaluation path.

Development Environment Setup

Required Files

ssh_server.erl - Erlang module starting vulnerable SSH daemon on port 2222 with password authentication (always rejecting credentials for testing).

Dockerfile - Based on Debian Bookworm, builds Erlang/OTP 26.2.5.10 from source, generates RSA keys, and runs the SSH server.

Deployment

N/ABASH

docker build -t erlang-ssh .
docker run -d --name erlang-ssh -p 2222:2222 erlang-ssh

Verify connectivity:

N/ABASH

nc 127.0.0.1 2222 -v

Expected response: SSH-2.0-Erlang/5.1.4.7

Proof of Concept

The exploit script (cve-2025-32433.py) demonstrates the vulnerability:

N/ABASH

python3 cve-2025-32433.py -t 127.0.0.1 -p 2222

Establish a reverse shell listener and execute commands as root. The script bypasses authentication and executes arbitrary shell commands via Erlang code injection.

Source: Full exploit code available at https://github.com/0xPThree/cve-2025-32433/tree/main

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝