I'm always excited to connect with professionals, collaborate on cybersecurity projects, or share insights.
When people think of Erlang, they think of uptime — a language built for resilience, powering telecom systems, distributed databases, and scalable messaging platforms. But with CVE-2025-32433, we’re seeing what happens when the very features that make a system robust become its Achilles' heel.
This vulnerability is a serious unauthenticated remote code execution (RCE) issue in the SSH implementation of Erlang/OTP. With a perfect 10.0 CVSS score, this bug allows remote attackers to execute code without credentials or user interaction. It affects a broad range of systems, especially those built on high-availability Erlang infrastructure.
Let’s break it all down — not just how to exploit it, but how it works under the hood, what detection looks like, and how you can stay protected.
Table of contents [Show]
CVE-2025-32433 targets Erlang/OTP’s SSH daemon, which mishandles the SSH protocol's message structure during the pre-authentication phase. According to SSH standards, messages with identifiers >= 80
are meant to be sent after authentication. However, in this implementation, that restriction wasn’t enforced.
This means an attacker can send malicious messages before any login occurs — and get code execution if crafted properly.
In essence, this opens the door wide to anyone with network access to the SSH port.
To demonstrate the impact of this flaw, we used a TryHackMe environment set up to mimic a vulnerable Erlang/OTP deployment. This isn’t about solving a room — it’s about analyzing how this exploit behaves in a real network.
Clone the public PoC:
git clone https://github.com/ProDefense/CVE-2025-32433 cd CVE-2025-32433
Edit the target IP:
Modify CVE-2025-32433.py
with your target machine’s IP:
Understand the payload:
The exploit runs a basic command to create a file on the target system:
file:write_file("/lab.txt", <<"pwned">>).
Launch the attack:
If the server is vulnerable, you’ll get confirmation — and the file will be created, all without logging in.
To validate the exploit more deeply, we modified the payload to exfiltrate data via netcat
:
With a listener running on the attacker machine:
We confirmed that arbitrary command execution was achieved — with output delivered directly to us.
Because this exploit abuses pre-auth SSH messages, it often evades traditional server-side logs. But at the network layer, you can still spot it:
SSH_MSG_CHANNEL_REQUEST
before authenticationfile:write_file
, os:cmd
, etc.Packet inspection tools such as Wireshark and IDS platforms like Suricata or FortiGate IPS can help here. Expect to find the payload in cleartext.
Once on the system, here’s what you can look for:
/lab.txt
or /tmp/*
written recentlyos:cmd
or unexpected usage of netcat
, wget
, etc.Don’t forget to inspect cron jobs, systemd timers, and newly added persistence mechanisms.
Patch immediately if your system is running one of the following vulnerable OTP versions:
If patching isn’t possible, consider the following short-term mitigations:
This isn’t a bug that needs advanced privilege chaining. There’s no brute force. No bypass.
It’s a clean, pre-auth RCE via a single malformed message — against a component that underpins fault-tolerant, real-time systems. That’s what makes it dangerous.
Whether you're red team or blue team, CVE-2025-32433 should be on your radar:
If you’re securing modern infrastructure, don’t overlook lesser-known stacks like Erlang. This CVE is a perfect reminder that even the most “mature” systems can hide critical flaws.
Your email address will not be published. Required fields are marked *