RCE in Erlang OTP SSH – CVE-2025-32433

Vendor Description:-

Erlang/OTP SSH is a built-in application in the Erlang OTP platform that implements the Secure Shell (SSH) protocol. It allows Erlang systems to function as SSH clients or servers, providing secure remote shell access, file transfers, and encrypted communication between nodes. The module is commonly used in distributed Erlang settings to provide secure administration, code distribution, and automation. It enables password and public key authentication and integrates seamlessly with other Erlang programs thanks to OTP’s sophisticated supervision and concurrency concepts.

Vulnerability Description: –

This vulnerability exists because of Erlang OTP’s implementation of the SSH protocol, specifically how it handles connection protocol messages during the pre-authentication phase. According to this technical overview, SSH message numbers 80 and above are designated for post-authentication. As a result, if an SSH client sends an SSH message containing such numbers before authentication is complete, the SSH server should disconnect them. The susceptible servers do not enforce this, giving attackers plenty of opportunities to design messages and finally get unauthorized code execution.

Impact

• Complete System Takeover: The attacker can execute any command with the same rights as the SSH service. In many Erlang/OTP settings, this service runs as root, giving the attacker complete control over the system. They can modify data, install viruses, establish new user accounts, and run any software. Security researchers have discovered that this type of access can result in the deployment of ransomware or the loss of critical data.
• Stealthy Pre-Authentication Exploitation: The attack is silent and difficult to detect because it does not require valid credentials or user involvement. Because it occurs before authentication, standard security records such as unsuccessful login attempts may remain unaltered. This enables attackers to sneak in with little to no detection.
• Internal Network Breach: Once the system has been compromised, attackers can utilize it to gain access to or attack other internal systems. In enterprise settings, a compromised Erlang/OTP service could be leveraged to move laterally across the network, discover internal assets, or extract important data.
• Service disruption and system sabotage: An attacker might simply crash the service or disable critical functions. In mission-critical environments such as telecom or messaging services, this could result in significant outage. Although Erlang is designed for dependability, its resilience is rendered ineffective if an attacker can terminate processes or overwhelm the system with malicious commands.

Mitigations

• Restrict Network Exposure: Implement strict firewall rules or cloud security groups to limit access to the SSH service. Only allow connections from trusted IP ranges (e.g., internal management networks).
• Disable Erlang SSH Service (if Non-Essential): If the SSH functionality provided by Erlang/OTP is not critical to operations, temporarily disable the service to eliminate the attack surface.
• Enforce Network Segmentation: Isolate Erlang nodes behind a secure bastion or ensure access is only permitted through an internal VPN. Avoid exposing Erlang/OTP services directly to the internet.
• Command Execution Monitoring: Detect unusual system commands executed by beam.smp or erlang processes—particularly those that fall outside the normal scope of application behavior.
• Detect Silent Exploits: Since exploitation can occur without authentication or login attempts, supplement standard log reviews with behavioral detection rules (e.g., SIEM alerts for suspicious process spawning by Erlang-related services).

POC

To reproduce the vulnerability, use the following exploit.py script. For example, the following command creates a file inside the target container.

python exploit.py -t 127.0.0.1 -p 2222 -c "touch /tmp/success"

The script delivers a specially designed SSH_MSG_CHANNEL_REQUEST packet, taking advantage of a weakness in the server’s message handling to run arbitrary commands during the unauthenticated phase.

After successful exploitation, you can enter the container and notice that the /tmp/success file has been created.

References:-

https://github.com/vulhub/vulhub/tree/master/erlang/CVE-2025-32433