CVE-2025-32433 - Serious Remote Code Execution in Erlang/OTP SSH Server – Explained

*Posted June 2024 – Exclusive long read for developers, sysadmins, and security pros*


## What Is Erlang/OTP?

Erlang/OTP is a collection of libraries and tools used to build highly scalable, fault-tolerant applications. You’ll find it powering messaging systems, telecom platforms, and distributed backends. Its power lies in handling thousands (or millions!) of simultaneous connections.

What’s CVE-2025-32433 All About?

CVE-2025-32433 is a newly disclosed, critical vulnerability affecting SSH servers in Erlang/OTP before these versions:

OTP-25.3.2.20

If you’re running an Erlang/OTP SSH server below these versions, you’re at real risk.

The issue:
Attackers can remotely execute code on your Erlang/OTP box *without* any authentication. This is classic RCE (Remote Code Execution).

How?
A flaw in how SSH protocol messages are handled lets hackers send custom crafted packets and slip past authentication. The attacker doesn’t need a password or SSH key—just network access to your server.

Links & References

- Official Erlang/OTP Security Advisory
- CVE Record at NVD
- Erlang/OTP GitHub

Exploiting CVE-2025-32433: How Bad Is It?

To keep it simple: A successful attack gives total control over your server.

Pivot to attack other systems in your network

This is *unauthenticated access*—no login needed.

Suppose your Erlang/OTP SSH server uses a standard callback module, like

{ok, ListenSocket} = ssh:daemon(2222, [{system_dir, "./ssh_keys"}, {user_dir, "./ssh_keys/users"}]).

*Pseudo-attack flow:*

1. Attacker connects to SSH server port 2222
2. Attacker sends malformed packet with exploit payload
3. Server processes packet and runs injected code

Proof of Concept (PoC)

The real-world exploit might use Python, Metasploit, or a custom crafted SSH client. Here’s a simplified hypothetical snippet:

import paramiko

# WARNING: For educational use only, do not run against any system without permission!

target_ip = "vulnerable.host"
target_port = 2222

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

try:
    # Connect, but send a custom malformed SSH handshake payload
    # This part would exploit the vulnerable packet handler in Erlang/OTP
    ssh.connect(target_ip, port=target_port, username="fakeuser", password="notneeded", allow_agent=False, look_for_keys=False)
except Exception as e:
    print("Exploit triggered, check target box for RCE shell.")

*Real exploits will use specially crafted wire data—NOT just bad usernames or passwords.*

OTP 25: Patch to 25.3.2.20 or later

Official download and release notes here:
https://www.erlang.org/downloads

Example Linux command

sudo ufw deny 2222/tcp

Conclusion

CVE-2025-32433 is a critical flaw. If you run an Erlang/OTP SSH server exposed to the internet, patch immediately or shut it off.

Stay safe—keep up-to-date, subscribe to official Erlang Mailing List for alerts, and always firewall sensitive endpoints.


*For more details:
Erlang/OTP Security Advisories
Full CVE Description @ NVD*

Timeline

Published on: 04/16/2025 22:15:14 UTC