The internet is a series of Tube [SOCKS]

Metasploit has supported SOCKS proxies for years now, being able to both act as both a client (by setting the Proxies datastore option) and a server (by running the auxiliary/server/socks_proxy module). While Metasploit has supported both SOCKS versions 4a and 5, there became some ambiguity in regards to how Domain Name System (DNS) requests are made by Metasploit through these versions. Both versions 4a and 5 notably enable clients to make connections to hosts identified by hostnames leading to the DNS resolution to take place on the SOCKS server. Whether or not the SOCKS client chooses to resolve the hostname to an address itself or to use the server is an implementation detail that is inconsistent among many pieces of software.

In the case of Metasploit, the framework opted to handle the DNS resolution itself. This was to ensure consistent behavior of running a module with and without a proxy when the target hostname resolved to multiple IP addresses. Many years ago, when Metasploit shifted focus to assessing targets in bulk, we decided that if a hostname was specified as a target by a user that mapped to multiple IP addresses, the module should be run for each IP address. This behavior is mostly intended for modules targeting web servers and can be seen by running the auxiliary/scanner/http/http_version module with a target behind a CDN such as cloudfront (it’s pretty easy to guess a suitable example here).

This did however introduce a problem for users that intended to use Metasploit as a SOCKS proxy client by setting the Proxies datastore option because Metasploit was performing the DNS resolution instead of passing the hostname to the proxy server as the user might expect. To explicitly facilitate what is probably the expected behavior of using the proxy server for name resolution, Metasploit added the unofficial SOCKS5H scheme used by cURL and other clients. The convention here being that if SOCKS5H is used, that the proxy server should be used for name resolution. Now in this case, Metasploit users can leverage the resolution capabilities of the SOCKS5 server, however that may be implemented, to initiate their connection.

To use this new capability, simply specify the server in the Proxies option as socks5h://192.0.2.0:1080 where 192.0.2.0 is the target SOCKS5 server.

At this time, Metasploit does not currently have client support for the older SOCKS4a version. If this is something that would interest you, please let us know in our ticket.

New module content (2)

WordPress Depicter Plugin SQL Injection (CVE-2025-2011)

Authors: Muhamad Visat and Valentin Lobstein
Type: Auxiliary
Pull request: #20185 contributed by Chocapikk
Path: gather/wp_depicter_sqli_cve_2025_2011
AttackerKB reference: CVE-2025-2011

Description: This adds a module for exploiting CVE-2025-2011 which is an unauthenticated SQL injection vulnerability in the "Slider & Popup Builder" plugin versions <= 3.6.1.

Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization

Authors: H00die Gr3y and Huntress Team
Type: Exploit
Pull request: #20096 contributed by h00die-gr3y
Path: windows/http/gladinet_viewstate_deserialization_cve_2025_30406
AttackerKB reference: CVE-2025-30406

Description: This adds an exploit module for Gladinet CentreStack/Triofox, the vulnerability, an unsafe deserialization allows execution of arbitrary commands.

Enhancements and features (2)

• #20147 from zeroSteiner - This adds support for the SOCKS5H protocol, allowing DNS resolution through a SOCKS5 proxy.
• #20180 from smashery - This adds a warning to PowerShell use when an impersonation token is active.

Bugs fixed (3)

• #20257 from cgranleese-r7 - Fixes an issue where the report_note deprecation message calling method incorrectly.
• #20261 from bwatters-r7 - This updates the vmware_vcenter_vmdir_auth_bypass module and accompanying documentation to refer to the new datastore option name.

Documentation added (1)

• #20255 from arpitjain099 - This fixes multiple typos in various pages of documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.65...6.4.66
• Full diff 6.4.65...6.4.66

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New modules for everyone

This week’s release is packed with new module content. We have RCE modules for Car Rental System 1.0, Wordpress plugins SureTriggers, User Registration and Membership. We also have a persistence module for LINQPad software and an auxiliary module for POWERCOM UPSMON PRO. We have also added support for 32-bit architectures to our execute-assembly post module, which now supports injection of both 64-bit and 32-bit .NET assembly binaries.

New module content (5)

POWERCOM UPSMON PRO Path Traversal (CVE-2022-38120) and Credential Harvester (CVE-2022-38121)

Author: Michael Heinzl
Type: Auxiliary
Pull request: #20123 contributed by h4x-x0r
Path: gather/upsmon_traversal
AttackerKB reference: CVE-2022-38121

Description: This adds an auxiliary module for two vulnerabilities in POWERCOM UPSMON PRO: path traversal and credential harvesting. The first vulnerability allows users to traverse the path in URI and read arbitrary files with respect to privileges of a given user account. The second vulnerability allows access to sensitive credentials for UPSMON as they are stored in plaintext in a readable file.

Car Rental System 1.0 File Upload RCE (Authenticated)

Author: Aaryan Golatkar
Type: Exploit
Pull request: #20026 contributed by aaryan-11-x
Path: multi/http/carrental_fileupload_rce
AttackerKB reference: CVE-2024-57487

Description: This adds a module for a file upload vulnerability in Car Rental System 1.0. It requires administrator credentials to exploit.

WordPress SureTriggers Auth Bypass and RCE

Authors: Khaled Alenazi (Nxploited), Michael Mazzolini (mikemyers), and Valentin Lobstein
Type: Exploit
Pull request: #20146 contributed by Chocapikk
Path: multi/http/wp_suretriggers_auth_bypass
AttackerKB reference: CVE-2025-3102

Description: Adds a new exploit module for the WordPress SureTriggers plugin (≤ 1.0.78) that abuses CVE-2025-3102, an unauthenticated REST endpoint to create an administrative user and achieve remote code execution.

WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)

Authors: Valentin Lobstein and wesley (wcraft)
Type: Exploit
Pull request: #20159 contributed by Chocapikk
Path: multi/http/wp_user_registration_membership_escalation
AttackerKB reference: CVE-2025-2563

Description: This adds a module for a privilege escalation vulnerability in the User Registration and Membership plugin for Wordpress. It allows creating new users with administrator privileges.

LINQPad Deserialization Exploit

Authors: James Williams and msutovsky-r7 martin_sutovsky@rapid7.com
Type: Exploit
Pull request: #19777 contributed by msutovsky-r7
Path: windows/local/linqpad_deserialization_persistence
AttackerKB reference: CVE-2024-53326

Description: Adds a module to install persistence relying on CVE-2024-53326, a .NET deserialization vulnerability in the startup of Linqpad versions prior to 5.52.

Enhancements and features (3)

• #20098 from smashery - Adds support for 32-bit execute-assembly, allowing injection of 64-bit or 32-bit .NET assembly.
• #20126 from bcoles - This adds a Linux post-exploitation method to check Yama's ptrace_scope setting. It removes a round trip required to obtain the scope value making modules that require knowing it to run slightly faster.
• #20173 from adfoster-r7 - Updates the web crawling modules to support HTTP logging.

Bugs fixed (8)

• #20010 from lafried - This fixes missing Powershell signature, when SSH is trying to identify the platform.
• #20111 from cdelafuente-r7 - Fixes an issue that prevented failed exploit attempts to be registered in the database correctly.
• #20118 from zeroSteiner - This fixes the target option for smb_to_ldap module. The option RELAY_TARGETS is now outdated, RHOSTS should be used instead.
• #20120 from bcoles - This fixes typos across many Windows post-exploit modules and adds missing metadata.
• #20128 from bcoles - This fixes an IP address assignment in the auxiliary/bnat/bnat_router module.
• #20142 from L-codes - Fixes a crash when running unknown commands in msfconsole when using specific versions of Ruby and bundler.
• #20156 from bcoles - This fix typos and rubocop violations inside the post modules.
• #20181 from bwatters-r7 - This fixes an issue in Metasploit's Wordpress login functionality that would cause it to fail for certain target configurations.

Documentation added (1)

• #20151 from adfoster-r7 - Updates the Wiki to include the latest available download links.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.62...6.4.64
• Full diff 6.4.62...6.4.64

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Meterpreter Extended API Clipboard Monitoring

Security is hard, and Open Source Security is a collaborative effort. This week, Metasploit released a fix for a vulnerability that was privately disclosed to us by long-time community member bcoles. The vulnerability in question impacted Metasploit users who were using the clipboard monitoring functionality contained within the extended-API Meterpreter extension (extapi). After a user enables monitoring, they would typically run clipboard_monitor_stop or clipboard_monitor_dump to retrieve information from the compromised host. The vulnerability existed in Metasploit’s handling of files that may be present in the remote hosts clipboard. When files were downloaded, they would, by default, be written to in the current working directory and would overwrite any existing files.

An attacker could leverage this by placing a malicious file into their clipboard and waiting for the Metasploit operator to download it, then execute it. As an example, an attacker may assume that the Metasploit operator is running Metasploit from the current working directory of Metasploit itself. In that case, they could have a malicious Ruby file named msfconsole in their clipboard. When the Metasploit operator dumps the contents of the remote clipboard, their local copy of msfconsole would be overwritten and then executed the next time they started Metasploit. It should be noted that the file that is written to is printed in the command’s output, but may be ignored by the user.

Now with the changes introduced in #19938, the extapi’s clipboard monitoring commands have been updated to make this significantly more difficult. Two primary changes were made. Now Metasploit will require a directory to be specified by the user of where file contents should be written to. Additionally, files will not be overwritten automatically. In order to overwrite an existing file, the user must specify the --force argument. If a file would be or is overwritten, it will be noted in the output:

meterpreter > clipboard_monitor_dump -d test_dir --force -p
Files captured at 2025-04-01 19:11:30.0503
==========================================
Remote Path : C:\Users\smcintyre\Desktop\hello-world.txt
File size   : 11 bytes
Downloading : C:\Users\smcintyre\Desktop\hello-world.txt -> /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt
Downloaded 11.00 B of 11.00 B (100.0%) : C:\Users\smcintyre\Desktop\hello-world.txt -> /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt
Completed   : Overwrote existing file /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt

The Metasploit team would like to thank bcoles for bringing this issue to our attention. We have assigned it CVE-2025-3095 and evaluated it with a CVSS score of 5.0 / Medium (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P). This vulnerability was fixed in Metasploit version 6.4.60, released on April 30th, 2025.

New module content (2)

LDAP Password Disclosure

Authors: Hynek Petrak, Spencer McIntyre, Thomas Seigneuret, and Tyler Booth
Type: Auxiliary
Pull request: #20017 contributed by zeroSteiner
Path: gather/ldap_passwords

Description: This updates and renames the ldap_hashdump module to ldap_passwords, extending its functionality to extract secrets used by LAPSv1 and LAPSv2 in Active Directory environments, alongside existing LDAP implementations. It simplifies usage by unifying techniques under one module and avoids requiring users to fingerprint the server type. Associated tests were also updated to include AD-specific data using Samba as a test LDAP server.

WonderCMS Remote Code Execution

Authors: Milad "Ex3ptionaL" Karimi and msutovsky-r7
Type: Exploit
Pull request: #20081 contributed by msutovsky-r7
Path: multi/http/wondercms_rce
AttackerKB reference: CVE-2023-41425

Description: Adds a new module “exploit/multi/http/wondercms_rce” which exploits CVE-2023-41425 - a file upload vulnerability. The module will authenticate against the vulnerable WonderCMS instance using a given password and then creates a zip file with a malicious PHP file. The module then uploads a zip file, which gets automatically parsed into /themes directory and executed by the application.

Enhancements and features (1)

• #20110 from bcoles - Improves code quality, metadata, and fixes some edge-case bugs within the modules/post/osx modules.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.60...6.4.61
• Full diff 6.4.60...6.4.61

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New RCEs

Metasploit added four new modules this week, including three that leverage vulnerabilities to obtain remote code execution (RCE). Among these three, two leverage deserialization, showing that the exploit primitive is still going strong. The Tomcat vulnerability in particular CVE-2025-24813 garnered a lot of attention when it was disclosed; however, to function, the exploit requires specific conditions to be met, which may not be present in many environments.

AD CS / PKCS12 Improvements

With the popularity of exploiting AD CS misconfigurations over the past couple of years, Metasploit has been continuing to iterate over our support. This week saw two improvements; one added additional error handling, which notably calls out authorization errors more clearly to the user. These errors, now labeled no-access failures, are encountered when the user is successfully authenticated but lacks authorization privileges to enroll on either the certificate template or the certificate authority server. Additionally, Metasploit's support for PKCS12 certificate storage is actively being improved. This week, a milestone was reached allowing additional metadata to be stored with the certificate, which, in the future, will enable more streamlined use of stored certificate data. This new metadata includes the password to decrypt the PKCS12 data, the CA that issued the certificate and AD CS template it was derived from.

New module content (4)

pfSense Login Scanner

Author: sjanusz-r7
Type: Auxiliary
Pull request: #19985 contributed by sjanusz-r7
Path: scanner/http/pfsense_login

Description: This adds a login scanner module for pfSense which can be used to brute force valid credentials to the web GUI.

CmsMadeSimple Authenticated File Manager RCE

Authors: Mirabbas Ağalarov, Okan Kurtuluş, and tastyrice
Type: Exploit
Pull request: #19980 contributed by tastyrce
Path: multi/http/cmsms_file_manager_auth_rce
AttackerKB reference: CVE-2023-36969

Description: This adds an exploit module for CMSMadeSimple <= v2.2.21, which is vulnerable to an authenticated RCE (CVE-2023-36969).

Tomcat Partial PUT Java Deserialization

Authors: Calum Hutton, h4ck3r-04, and sw0rd1ight
Type: Exploit
Pull request: #19995 contributed by chutton-r7
Path: multi/http/tomcat_partial_put_deserialization
AttackerKB reference: CVE-2025-24813

Description: This adds an exploit module for CVE-2025-24813, which is an unauthenticated, constrained file write vulnerability in Apache Tomcat.

Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit

Authors: Dylan Pindur and machang-r7
Type: Exploit
Pull request: #19947 contributed by machang-r7
Path: windows/http/sitecore_xp_cve_2025_27218
AttackerKB reference: CVE-2025-27218

Description: This adds an exploit module for CVE-2025-27217, an unauthenticated .NET deserialization vulnerability for Sitecore.

Enhancements and features (4)

• #19606 from cgranleese-r7 - This updates the LDAP modules to use datastore options for authentication that are prefixed with LDAP, allowing them to be used as larger workflows that merge datastore options for multiple protocols.
• #19736 from cdelafuente-r7 - This update adds support for the new Pkcs12 data format, allowing the CA and ADCS template to be stored as metadata in the database. Additionally, Pkcs12 passwords can now be stored as metadata, with validation ensuring correct passwords are provided when adding encrypted Pkcs12 files using the creds command.
• #19984 from zeroSteiner - This improves AD CS workflows by adding additional error handing.
• #19991 from zeroSteiner - This adds some new tests for LoginScanners. It ensures that the LoginScanners follow a common interface for initialization, most notably that they take a single argument containing the configuration as a hash.

Bugs fixed (3)

• #19934 from sfewer-r7 - This addresses several bugs in the exploit/linux/misc/cisco_ios_xe_rce module, which was failing for Cisco IOS XE version 17.06.05 on C8000v series appliances. Fixes include correcting the /webui URI to /webui/ (with a trailing slash) and adjusting the case sensitivity in the /webui_wsma_https URI for both CSR1000v and C8000v appliances. Additionally, the module now properly distinguishes between HTTPS and HTTP targets, ensuring compatibility with both appliance series.
• #19993 from h00die-gr3y - This fixes an issue where payloads using cmd/base64 encoder with badchars \x20 (space) failed due to syntax errors in POSIX shells when ${IFS} followed parentheses. Removed unnecessary spaces from the payload to ensure proper execution in Unix-based environments.
• #19998 from sjanusz-r7 - Fixes a crash when running the auxiliary/crawler/msfcrawler module.

Documentation

• #19979 from bwatters-r7 - This adds documentation that describes when a module submission may be superseded.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.55...6.4.56
• Full diff 6.4.55...6.4.56

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro