CVE-2025-32433 | SSH | RCE
| Vulnerability | CVE-2025-32433 |
|---|---|
| Type | Unauthenticated Remote Code Execution |
| Description | This vulnerability affect the SSH server implementation within the Erlang/OTP (Open Telecom Platform) library. This flaw allows an unauthenticated remote attacker to achieve remote code execution (RCE) on a vulnerable system. The vulnerability arises from improper handling of SSH protocol messages during the initial connection phase, before authentication takes place. |
| Affected Systems | Systems depends on the built-in SSH Server for Erlang/OTP versions prior to Erlang/OTP-27.3.3 for OTP v27, Erlang/OTP-26.2.5.11 for OTP v26, Erlang/OTP-25.3.2.20 for OTP v25 |
| Attack Vector | Remote: Attackers exploit Erlang/OTP SSH Server to be able to bypass the authentication process and execute arbitrary code with the privileges of the SSH daemon. |
| Exploit Mechanics | Exploits the lack of proper validation for SSH message numbers intended for post-authentication, allowing the sending of crafted messages (e.g., SSH_MSG_CHANNEL_OPEN, SSH_MSG_CHANNEL_REQUEST) before authentication. The vulnerable server incorrectly processes these pre-authentication messages, leading to arbitrary command execution. |
| The Impact of the Bug | - Unauthenticated Remote Code Execution (RCE): Attackers can execute arbitrary code on the target system without needing any valid credentials. |
| Detection Techniques | Log Analysis - No no artifacts regards the exploit itself, all the artifacts are related to the command executed Network Traffic Inspection - Analyze the incomming traffic to the SSH server; check any SSH_MSG_CHANNEL_OPEN or SSH_MSG_CHANNEL_REQUEST before revciving any SSH_MSG_USERAUTH_SUCCESS message.Behavioral Detection - The SSH server with a vulnarable version recieves SSH_MSG_CHANNEL_OPEN or SSH_MSG_CHANNEL_REQUEST request before sending SSH_MSG_USERAUTH_SUCCESS. |
| Mitigation Steps | Update to OTP-27.3.3 (for OTP-27), OTP-26.2.5.11 (for OTP-26), or OTP-25.3.2.20 (for OTP-25). |
| Workarounds | Disabling the SSH server or to prevent access via firewall rules |
| References | - Unauthenticated Remote Code Execution in Erlang/OTP SSH - CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability - Successful PoC |