Lab Report: CVE-2025-32433 — Erlang/OTP SSH RCE Exploitation Chain and Detection Coverage

This lab report documents the controlled reproduction of CVE-2025-32433 in an isolated environment. All testing was conducted on systems owned by Threatstealth Labs with no external connectivity. This report is published for defensive purposes: to enable security teams to understand exploitation mechanics and validate detection coverage.

Vulnerability Summary

CVE-2025-32433 is a critical (CVSS 10.0) pre-authentication remote code execution vulnerability in the Erlang/OTP SSH library. The vulnerability exists in the SSH server's message handling code, which incorrectly processes certain SSH protocol messages before authentication completes. An unauthenticated attacker with network access to the SSH port can exploit this to execute arbitrary code with the privileges of the Erlang runtime process.

The impact is particularly severe because Erlang/OTP is used as the runtime for several widely-deployed applications, including RabbitMQ (message broker), CouchDB (NoSQL database), ejabberd (XMPP server), and custom Erlang/Elixir applications. Any of these that expose an SSH management port — which many do for administrative access — are affected.

Lab Environment

Lab environment: isolated VLAN with no internet routing. Target: Ubuntu 22.04 LTS with Erlang/OTP 26.1.2 (vulnerable version) and RabbitMQ 3.12.10 with the Management plugin enabled (which uses the Erlang SSH server for the rabbitmq-cli remote shell). Attack host: Kali Linux 2025.1.

Exploitation Chain

Stage 1 — Target identification: The Erlang SSH server banner identifies the OTP version in the SSH_MSG_KEXINIT exchange. A simple Shodan query or nmap banner grab reveals vulnerable versions without authentication.

Stage 2 — Exploit execution: The public PoC sends a crafted SSH_MSG_CHANNEL_REQUEST message before authentication completes. The Erlang SSH library's state machine does not enforce authentication prior to processing certain channel request types, allowing the attacker to inject an OS command into the message payload.

Stage 3 — RCE as the Erlang process owner: The injected command executes with the privileges of the Erlang runtime process — typically the rabbitmq or couchdb service account. On misconfigured installations, this is root.

• Time from targeting to initial shell: under 90 seconds with the public PoC
• No credentials required — pure network access to port 22 (or custom SSH port) is sufficient
• RabbitMQ management SSH port (default 22 or custom) is the most common exposed vector
• CouchDB Erlang shell access port is affected if enabled and network-accessible

Detection Coverage

The following detections provide coverage across the exploitation chain. All were validated in the lab environment.

• Wazuh rule: alert on SSH connections to non-standard ports from external IPs to Erlang service hosts
• Wazuh file integrity monitoring: alert on new files written in RabbitMQ/CouchDB data directories post-exploitation
• Sigma rule (process creation): alert on shell processes (bash, sh, dash) spawned as child of beam.smp (the Erlang VM process)
• Network: alert on outbound connections from RabbitMQ/CouchDB hosts to external IPs (C2 callback indicator)
• SIEM: correlate SSH auth failure absence with a new shell process on the same host (pre-auth exploitation indicator)

Remediation

• Patch immediately: upgrade to OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.19
• Disable Erlang SSH server if not required: most RabbitMQ deployments do not need SSH access enabled
• Network ACL: restrict access to Erlang SSH ports to administrative IP ranges only
• Run RabbitMQ/CouchDB as non-root service accounts — limits post-exploitation blast radius
• Enable rabbitmq-diagnostics status logging and alert on unexpected process spawns