PoC Week 2025-05-05
The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.
For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.
CVE-2025-32433
- Severity: 10 CRITICAL
- Impacted Products: OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20
- Description: Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-32433
- PoC: https://github.com/tobiasGuta/Erlang-OTP-CVE-2025-32433/
CVE-2025-31324
- Severity: 9.8 CRITICAL
- Impacted Products: SAP NetWeaver Visual Composer Metadata Uploader
- Description: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-31324
- PoC: https://github.com/nullcult/CVE-2025-31324-File-Upload/
References
This list was scraped from the quite amazing and highly recommended newsletters below:
Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.