A few quick notes on the Erlang OTP SSHd RCE (CVE-2025-32433):
1. Cisco confirmed that ConfD and NSO products are affected (ports 830, 2022, and 2024 versus 22)
2. Signatures looking for clear-text channel open and exec calls will miss exploits that deliver the same payloads after the key exchange.
3. If you find a machine in your environment and can't disable the service, running the exploit with the payload `ssh:stop().` will shut down the SSH service temporarily.
https://www.runzero.com/blog/erlang-otp-ssh/
HD Moore /
npub183…fz7sj
2025-04-24 04:50:42
Author Public Key
npub183jlg550rkcz46gv688rcj2d4ap9cxxut5lg2naehae62hlrlnfs2fz7sjSeen on
wss://relay.nostr.bandPublished at
2025-04-24 04:50:42Event JSON
{
"id": "3a71d4966eb057c76de00bc18ef79bc342813b79981f7fe4b54ac444c125e67d",
"pubkey": "3c65f4528f1db02ae90cd1ce3c494daf425c18dc5d3e854fb9bf73a55fe3fcd3",
"created_at": 1745470242,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/hdm/statuses/114391137802682977",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "A few quick notes on the Erlang OTP SSHd RCE (CVE-2025-32433): \n\n1. Cisco confirmed that ConfD and NSO products are affected (ports 830, 2022, and 2024 versus 22)\n\n2. Signatures looking for clear-text channel open and exec calls will miss exploits that deliver the same payloads after the key exchange. \n\n3. If you find a machine in your environment and can't disable the service, running the exploit with the payload `ssh:stop().` will shut down the SSH service temporarily.\n\nhttps://www.runzero.com/blog/erlang-otp-ssh/",
"sig": "652aa7917d8c43301c135e8b9f43ae64c2a2b2a45084635bd70355543325071cd7bf1e7fbbb83935f7ec00fc16ac98dcadcb5eb4de535384c046b556ee1d423f"
}