Blocking CVE-2025-32433 (CVSS 10): Real-Time Defense for Erlang SSH Exploits with AccuKnox

In April 2025, a critical vulnerability, CVE-2025-32433, was disclosed, affecting the SSH implementation within Erlang/OTP (Open Telecom Platform). Erlang/OTP is a widely used programming language and runtime system, particularly for scalable, concurrent, and fault-tolerant applications. This vulnerability, stemming from improper handling of SSH protocol messages, poses a severe risk, allowing unauthenticated attackers to exploit the flaw and execute arbitrary code remotely.

At AccuKnox, we swiftly validated and emulated the exploit, mapping its impact across containerized workloads and bare-metal deployments. In this blog post, we’ll provide a technical walkthrough of CVE-2025-32433, the exploit’s proof of concept (PoC), and how AccuKnox proactively detects and mitigates this vulnerability in real-time.

Vulnerability Overview

CVE-2025-32433 is a vulnerability in Erlang/OTP’s ssh application, specifically affecting the handling of unauthenticated SSH messages. The vulnerability allows a remote, unauthenticated attacker to send malformed SSH_MSG_CHANNEL_OPEN and SSH_MSG_CHANNEL_REQUEST messages to Erlang-based SSH servers, causing arbitrary code execution or Denial of Service (DoS).

Affected Versions:

<= OTP-27.3.2
<= OTP-26.2.5.10
<= OTP-25.3.2.19

Root Cause:

The core issue lies in the Erlang ssh_connection module failing to properly validate the state of a channel before processing CHANNEL_REQUEST messages. This logic flaw allows the attacker to send request types such as pty-req or exec without completing the authentication handshake.

Official Patch

Upgrade to the patched versions of Erlang/OTP:

• OTP-27.3.3
• OTP-26.2.5.11
• OTP-25.3.2.20

These versions address the flaw by properly handling SSH protocol message validation, ensuring a secure connection before processing channel requests.

AI-Assisted Exploit Development

Before public PoCs emerged, security researchers began leveraging AI to reconstruct and validate the vulnerability from scratch.

Initial Discovery

A tweet from Horizon3 disclosed the vulnerability with minimal technical context—just enough to raise attention but without releasing exploit code. Inspired by this teaser, researchers used GPT-4 to initiate automated vulnerability analysis.

AI Workflow

1.     Commit Diff Analysis
GPT-4 was guided to check out and diff the vulnerable and patched versions of Erlang/OTP using commit hashes. It recursively compared files under lib/ssh/ between versions (e.g., ssh-5.2.9 and ssh-5.2.10) to identify changes in the message handling logic.

2.     Code Reasoning and Debugging
After identifying the diff, GPT-4 analyzed message handling in the ssh_connection module. It recognized that the handle_msg/2 function failed to check the channel authentication status before executing the request types. It then generated a valid message sequence for SSH_MSG_CHANNEL_OPEN followed by SSH_MSG_CHANNEL_REQUEST.

3.     PoC Construction and Validation
The AI-generated PoC simulated an SSH client sending malformed messages via a raw TCP socket. When the first version failed, GPT-4 assisted in debugging packet structure and timing, ultimately producing a functional exploit.

This process demonstrates how AI tools now play a pivotal role in rapidly surfacing and weaponizing vulnerabilities, often before conventional reverse engineering would be completed.

POC of the exploit is publicly available, which can be found in AccuKnox's CVE-PoC-Collection GitHub Repository. We deployed this PoC in a Kubernetes environment, simulating the vulnerability and leveraging the Python-based PoC file to exploit the issue.The PoC initiates a raw TCP connection to the target Erlang SSH port and sends a malformed SSH_MSG_CHANNEL_OPEN message, followed immediately by a CHANNEL_REQUEST message, without completing the key exchange or authentication process.

Exploit Flow:

Real-Time Mitigation With AccuKnox Runtime Security

1. Ensure AccuKnox Runtime Security is configured: Verify that AccuKnox Runtime Security is installed and configured on your Kubernetes cluster to enable security enforcement.

2. Navigate to Policies: In the AccuKnox dashboard, go to the Policies section under the Runtime Security tab.

3. Apply Custom KubeArmor Policy: Apply a targeted policy to block unauthorized SSH-based execution:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: erlangotpsshcve
  namespace: test
spec:
  selector:
    matchLabels:
      app: erlangotpsshcve
  file:
    matchDirectories:
    - dir: /usr/lib/erlang/lib/ssh-5.1.4.7/
      recursive: true
      severity: 1
      action: Block

Once the policy is active, replaying the PoC resulted in the exploit being blocked in real-time.

After the policy enforcement, an alert is triggered in the AccuKnox SaaS dashboard, notifying us of the blocked access attempt. The alert provides detailed information about the blocked activity, including the source of the request that was protected.

Significance of Runtime Security 

Runtime Security is an inseparable component of cloud workload protection. It focuses on protecting cloud-native applications while they are actively running in production environments. In essence, it is the last line of defense against cyber threats and vulnerabilities that may exploit weaknesses in an application during its execution. AccuKnox’s platformized solutions allows DevSecOps teams to:

• 🗹 Ensure Cloud-Native Application Security
• 🗹 Prevent Data Breaches
• 🗹 Avoid Financial Losses
• 🗹 Protect Reputation
• 🗹 Monitor Application Behavior
• 🗹 Respond to Threats
• 🗹 Implement Security Tools
• 🗹 Ensure GRC Adherence
• 🗹 Avoid Fines & Legal Issues
• 🗹 Maintain Compliance Documentation

Conclusion

The emergence of vulnerabilities like CVE-2025-32433 underscores a critical shift in cybersecurity: AI is now dramatically accelerating offense, assisting attackers with commit analysis, exploit generation, and debugging. This significantly shortens the window between vulnerability disclosure and active exploitation, often outpacing traditional patching cycles. While applying official patches remains essential, the speed at which AI can weaponize flaws necessitates a more proactive security posture to address the immediate risk before patches can be fully deployed across an environment.

To mitigate this evolving threat landscape, organizations must adopt real-time runtime security measures. AccuKnox provides this critical layer of defense, capable of detecting and actively blocking exploitation attempts like those targeting CVE-2025-32433 before they compromise system integrity. Our CNAPP leverages powerful kernel-native primitives including AppArmor, SELinux, and eBPF to secure Kubernetes and diverse cloud workloads, ensuring proactive protection against both known and zero-day threats. Secure your workloads effectively – book a demo at accuknox.com/demo.