Mystic

PoC: Unauthenticated RCE in SSH (Erlang/OTP)

toshith
Oct 20, 2025

Ever seen an SSH port on a machine and wondered whether it was possible to run commands as root without having a private key or knowing the password of any user at all? What if there was a bug that could let you do so?

Well yes, it is possible!

A recently disclosed vulnerability in Erlang/OTP SSH server allows an attacker to execute arbitrary code on the server without valid credentials by exploiting a flaw in SSH protocol message handling. The vulnerability we are talking about is identified as CVE-2025–32433 with a CVSS 10 score (😱).

For interested professionals, “If your application provides SSH access using the Erlang/OTP SSH library, assume you are affected.”

The proof of concept (PoC) for exploiting this vulnerability can be found here — it was tested on the Soulmate machine from Hack The Box.

Fig 1: I don’t need a key to SSH

Mitigation

Before diving into the details of these services, for the lucky people reading this blog, the mitigation steps as of now are as follows:

  • Upgrade to a patched version. The list of patched versions is available in the official repository. (Personally recommended unless the upgrade breaks something important)
  • A temporary workaround is to prevent access to the SSH server. This can be done through firewall rules or by entirely disabling the SSH server. (Personally, not recommended)

Understanding Erlang/OTP SSH

For my beloved readers who made it this far and would like to understand what Erlang/OTP is:

  • Erlang is a functional programming language originally designed for telecommunication systems that needed to handle massive concurrency, fault tolerance and high availability, like phone switches. In the modern times, it is used in distributed, real-time, and highly reliable systems like WhatsApp, RabbitMQ and CouchDB.
  • OTP (Open Telecom Platform) is a set of libraries, design principles and tools built on top of Erlang. It is what makes Erlang practical for building large-scale, production-ready systems.
  • Together, they form what people commonly refer to as Erlang/OTP. Since, it is built for distributed systems the developers should not have to rely on external tools like OpenSSH. Hence, OTP provides its own SSH client and server libraries written in Erlang.

Now coming to the SSH vulnerability:

  • This is not a vulnerability with OpenSSH but in the SSH service provided by OTP.
  • The vulnerability allows an attacker to send crafted SSH protocol messages such as SSH_MSG_CHANNEL_OPEN and SSH_MSG_CHANNEL_REQUEST, before authentication is completed. This enables the attacker to leverage built-in OTP functions like os:cmd to execute arbitrary code. In practice, this could be used to obtain a reverse shell with the privileges of the OTP service (often root), as demonstrated in our PoC.
  • OpenSSH has decades of security hardening while Erlang/OTP’s SSH implementation is less widely audited. So, bugs in protocol handling (like this one) can slip through.
  • And since developers may unknowingly expose the OTP SSH server (mistaking it for a harmless internal feature), many systems could be vulnerable.