This week brings 3 new pieces of module content for targeting FreePBX. All three chain multiple vulnerabilities together, starting with CVE-2025-66039. This initial vulnerability allows unauthenticated users to bypass the authentication process to interact with FreePBX. From this point, the different modules leverage either a SQL injection vulnerability (CVE-2025-61675) or a file upload vulnerability (CVE-2025-61678) to obtain remote code execution.
New module content (7)
FreePBX endpoint SQLi to RCE
Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20857 contributed by msutovsky-r7 Path: unix/http/freepbx_custom_extension_rce AttackerKB reference: CVE-2025-61675
Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with a SQLi, CVE-2025-61675, which allows for a cron job to be added to the cron_job table of the database to allow for Remote Code Execution.
FreePBX firmware file upload
Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20858 contributed by msutovsky-r7 Path: unix/http/freepbx_firmware_file_upload AttackerKB reference: CVE-2025-61678
Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with an unrestricted file upload (via firmware upload), CVE-2025-61678, which allows for a webshell to be uploaded to the webserver resulting in remote code execution.
FreePBX Custom Extension SQL Injection
Authors: Noah King and msutovsky-r7 Type: Auxiliary Pull request: #20846 contributed by msutovsky-r7 Path: gather/freepbx_custom_extension_injection AttackerKB reference: CVE-2025-61675
Description: This adds an exploit module for FreePBX which chains an authentication bypass, (CVE-2025-66039) with an SQLi (CVE-2025-61675) to create an admin user in the database.
Cacti Graph Template authenticated RCE versions prior to 1.2.29
Authors: Jack Heysel and chutchut Type: Exploit Pull request: #20799 contributed by jheysel-r7 Path: multi/http/cacti_graph_template_rce AttackerKB reference: CVE-2025-24367
Description: This adds an exploit for CVE-2025-24367 which is an unauthenticated RCE in Cacti.
Authors: Piotr Bazydlo, Sina Kheirkhah, and jheysel-r7 Type: Exploit Pull request: #20866 contributed by jheysel-r7 Path: multi/http/smartermail_guid_file_upload AttackerKB reference: CVE-2025-52691
Description: This adds a module for unauthenticated file upload in SmarterTools SmaterMail (CVE-2025-52691). The vulnerability allows an unauthenticated user to upload a file to any location on the system using path traversal using the guid variable. The module will either drop a webshell in the webroot directory (if the target is Windows) or create a cron job by dropping a file in /etc/cron.d (if the target is Linux).
Description: This adds a new persistence module for BurpSuite. The module adds a malicious extension to both the Pro and Community versions, which is triggered when the user starts BurpSuite.
Description: Combines the Windows and Linux ssh key persistence modules.
Enhancements and features (1)
#20778 from h00die - Combines the Windows and Linux ssh key persistence modules.
Bugs fixed (3)
#20897 from h00die - This fixes a bug that was preventing collected hash data from being formatted as input for the John the Ripper cracker. The result is that users can now once again crack passwords using John.
#20902 from rudraditya21 - This fixes a bug in the auxiliary/scanner/ssh/ssh_login module that would incorrectly state that a login failed when it in fact succeeded but the module was unable to open a session. This was only an issue when the CreateSession option is true.
#20909 from adfoster-r7 - Fixes a bug in Metasploit Pro that reported false positives for HTTP bruteforcing.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
This week brings more RISC-V payloads from community member bcoles. One provides a new adapter which allows RISC-V payloads to be converted to commands and delivered as a Metasploit fetch-payload. The second is a classic bind shell, offering the user interactive connectivity to the target host. Both of these go a long way in improving Metasploit’s support for RISC-V systems.
Annual Wrap Up
With a new year comes a new annual wrap up. Earlier this week, the Metasploit project posted the annual wrap up covering notable changes from 2025.
Description: This adds a new module for authenticated deserialization vulnerability in Taiga.io (CVE-2025-62368). The module sends malicious data to exposed API, which performs unsafe deserialization, leading to remote code execution.
Description: This adds a persistence module which leverages Python's startup mechanism, where some files can be automatically processed during the initialization of the Python interpreter. Someof those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism if an attacker has established access to the target machine with sufficient permissions.
Description: This adds a new payload: a bind shell for Linux RISC-V targets.
Bugs fixed (2)
#20370 from msutovsky-r7 - Fixes an issue that occurred when negotiating the SMB version and the server uses an unknown dialect. Now, the login function will throw an exception and exit gracefully.
#20744 from ptrstr - This fixes a bug in unix/webapp/wp_reflexgallery_file_upload where the current year and month were being hardcoded in the request. This caused the server to reject the exploit if there was no folder in wp-content/uploads for that specific year and month. Now the year and month are configurable datastore options.
Documentation added (1)
#20831 from DataExplorerX - This adds link to issues in Metasploit Framework Github repository.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
Hard to believe it's that time again, and that Metasploit Framework will see the dawn of another Annual Wrap-Up (and a New Year). All of the metrics and modules you see here would in large part not be possible without the dedicated community members who care about the Framework and its mission on all the days of the year. It is their hard work and dedication that makes it look like magic, and sometimes, it feels like it too. A heartfelt thank you to all of our researchers and contributors, you're what makes Metasploit Framework so resilient.
This year brought its share of notable vulnerabilities, substantial framework improvements, and continued evolution of the project. Whether you submitted a module, filed an issue, or helped triage a bug, your contributions have kept Metasploit relevant and powerful. So without further ado, let's dive into the highlights from 2025.
Persistence Overhaul
One of the year's significant infrastructure improvements came from community contributor h00die, who spearheaded a massive refactor of Metasploit's persistence modules. The project, tracked in issue #20374, involved reorganizing dozens of persistence modules from their scattered locations across the framework into a dedicated persistence directory under exploits. This wasn't just housekeeping—h00die created a standardized persistence mixin that brought consistency to how modules handle installation, cleanup, and option handling. The refactor touched over 30 modules spanning Linux, Windows, OSX, and multi-platform techniques, modernizing each one with proper check methods, MITRE ATT&CK references, and standardized options like WritableDir. The work also laid the groundwork for a persistence suggester module that can automatically recommend viable persistence techniques based on session characteristics.
The sheer scope of this effort can't be overstated. Breaking the work into manageable chunks, h00die systematically converted modules from the old post-exploitation style to proper exploit modules with the new persistence mixin, handling everything from cron jobs and SSH keys to Windows registry modifications and service installations. The standardization means that all persistence modules now share common behaviors, produce cleanup scripts in a consistent format, and integrate cleanly with the rest of the framework. It's the kind of unglamorous but essential work that improves the entire framework's usability and maintainability, and we're grateful to h00die for taking on such an ambitious project and seeing it through.
AD CS Vulnerable Certificate Template Detection and Exploitation Additions
This year, Metasploit expanded its Active Directory Certificate Services (AD CS) coverage by adding detection and exploitation support for certificate templates vulnerable to ESC9, ESC10, and ESC16. Checks for these misconfigured certificate templates were integrated into the existing ldap_esc_vulnerable_template module, allowing users to easily identify misconfigured templates during assessments.
To complement this detection capability, we introduced the new esc_update_ldap_object module, which enables reliable exploitation of these vulnerable templates to escalate privileges. ESC9, ESC10, and ESC16 share a common pattern: each requires control of a user account with write privileges over another user that is permitted to enroll in the vulnerable template. While exploiting these techniques with other tools typically involves multiple manual and error-prone steps, the new module streamlines the entire workflow. Users configure the required datastore options, run the module, and receive a certificate that can be used to escalate privileges within the domain.
As part of this effort, we also introduced the ldap_object_attribute module, which provides standard CRUD operations for manipulating LDAP objects in Active Directory. This module — along with existing functionality such as shadow_credentials and get_ticket — is used internally by esc_update_ldap_object to abstract away low-level LDAP interactions and simplify exploitation.
This work included comprehensive documentation covering the configuration of templates vulnerable to ESC9, ESC10, and ESC16, as well as detailed instructions for exploiting each technique using the new module.
Active Directory Improvements
Related to our AD CS improvements, came new low-level functionality for interacting with Active Directory (AD) Domain Controllers over LDAP. Over the past couple of years, Metasploit has seen multiple modules added that facilitate AD attack workflows including Shadow Credentials, RBCD, Unconstrained Delegation, etc. Like the AD CS attacks, many of these techniques are reliant on access control to some degree. Over the summer, Metasploit introduced new functionality to facilitate checking for these types of attacks. This new library provides Active Directory specific functionality, most notably, the ability to remotely evaluate security descriptors to determine whether a particular user or group has a specific access right. This has already been incorporated into the following modules to either enable or improve the existing detection capabilities.
auxiliary/admin/ldap/shadow_credentials
auxiliary/admin/ldap/rbcd
auxiliary/admin/ldap/ad_cs_cert_template
auxiliary/gather/ldap_esc_vulnerable_cert_finder
For module authors, the library provides a composable API for determining if an object grants a particular permission to an optional SID. The SID can be either a user or group, and when omitted is automatically set to the authenticating user, i.e. to check if the current connection has the permissions.
For example, check if the object grants the read and write property permissions with:
Beyond new features and modules, 2025 also saw substantial code quality improvements thanks to community contributor bcoles, who took on the often-thankless task of resolving RuboCop violations across the codebase. Throughout the year, bcoles systematically worked through older modules, cleaning up style inconsistencies, fixing syntax violations, and converting outdated property types to proper boolean values in auxiliary scanners and exploit modules. This kind of incremental maintenance work—fixing redundant parentheses here, resolving style violations there—doesn't make for flashy headlines, but it keeps the codebase maintainable and makes life easier for everyone working in the framework. Code quality matters, and we're grateful to bcoles for putting in the work to keep Metasploit's technical debt in check.
Payload Improvements
It may be a fun fact, or perhaps tribal knowledge that an “exploit” to Metasploit is a module that delivers a payload. All the great exploit content this year would be nothing without corresponding payloads to deliver and we make sure that those get plenty of our time as well. The following changes in particular are highly impactful and may have gone unnoticed while the flashier exploits received all the attention.
Windows Meterpreter Improvements
The biggest updates for the Windows Meterpreter revolve around two major improvements: the first is the upgrade to ReflectiveDLLInjection, made by Alex (xaitax) Hagenah, for which we express our gratitude for improving this area of the Metasploit Framework that requires a high level of attention to detail. This update introduces full, production-ready ARM64 support and a comprehensive architectural modernization of the whole library. These changes open the door to future support for a native ARM64 Meterpreter on Windows. Additionally, Metasploit split the standard API extension for Windows this year. This was actually the design used in the original Meterpreter implementation and we’ve reconsidered the monolithic approach. This improvement is one of the multiple steps we have in the pipeline to improve the evasion capabilities for our Windows Meterpreter. The standard API library now allows the user to load only specific subcomponents of the extension (for example, the component for network or file-system interaction), reducing the memory footprint for memory scanners. To leverage this new functionality, set AutoLoadStdapi to False, and then load one or more extensions manually, e.g. load stdapi_fs. To maintain backwards compatibility, a single stdapi extension is also still available and can be loaded with load stdapi.
Fetch Payload Improvements
The first milestone was the introduction of fileless execution for Linux fetch payloads, enabling payloads to run directly from memory using anonymous files. This advancement greatly enhances operational stealth by minimizing forensic traces and avoiding file-based detection, with careful attention to safe, opt-in behavior and collaborative code refinement. Following this, the FETCH_PIPE option streamlined payload deployment into a single, compact command. This improvement enhanced both usability and evasion, while also supporting larger, more complex command payloads (such as fileless execution) to be executed even with reduced command size. Additionally, fetch payload support has expanded to seven additional CPU architectures: aarch64, armbe, armle, mipsbe, mipsle, ppc, and ppc64le. This significantly broadens Metasploit's reach across embedded and legacy systems. Both features are thoroughly tested and future-proof, making the framework more versatile and powerful.
New Architectures Basic Support
This year, we have also updated the framework to support new basic payloads. We have introduced the exec payload for Windows ARM64 (provided by Alex (xaitax) Hagenah), reverse shell for RISC-V 32 and 64 bit, and Loongarch64 (both provided by bcoles).
COMING SOON
As much as we try, everything doesn’t always fit into one year. With that in mind, we wanted to highlight some upcoming features that we’re particularly excited to complete in the coming months.
Malleable C2
The malleable c2 will allow the user to specify with a .profile scribing how the HTTP requests between meterpreter and metasploit-framework should look like, allowing metasploit to hide the distinctive traffic generated by the session communication.
Direct Syscall in Metsrv
We have updated the Meterpreter core (metsrv) to remove common static signatures, such as specific strings and function imports, making it harder to detect.
PoolParty for 32-bit systems
Additional work to port the poolparty injection on native 32 bit system, Huge thanks to xHector1337 for taking over the research and extension of the code injection for the new architecture.
SCCM Modules
This year, Metasploit added two modules for targeting SCCM instances and recovering the Network Access Account credentials. These modules differ in how they perform the authentication. The first, auxiliary/admin/sccm/get_naa_credentials accepts credentials from the operator and will use them to authenticate and run the attack on demand. This pairs nicely with the auxiliary/admin/dcerpc/samr_account module when the operator can create a new machine account. However, when that’s not an option, Metasploit still has you covered with the auxiliary/server/relay/relay_get_naa_credentials variant that enables relaying NTLM authentication from an SMB server. These attack workflows were demonstrated at Black Hat and DEF CON over the summer and we anticipate they’ll remain useful in the future.
Module Highlights
CVE-2025-9316, CVE-2025-11700 N-able N-Central XXE – N-able N-Central is a popular Remote Monitoring and Management (RMM) platform. These two vulnerabilities, when combined, enable Metasploit to read local files without authenticating. This can be used to obtain a number of sensitive backup files from the application itself, or anything else on the host system. XXE attacks are a less common vulnerability, at least in Metasploit-land but this is a fantastic example of how impactful they can be.
CVE-2025-22457 Ivanti Connect Secure Unauthenticated RCE – Ivanti RCEs are always valuable and this module shows that memory corruption lives on in 2025. Not only is this exploit unauthenticated and reliable, it is a great example of how ROP chains can be used.
CVE-2024-55555 Invoice Ninja RCE – This particular module leverages a PHP deserialization vulnerability within the application. While this vulnerability requires knowledge of the APP_KEY, successful exploitation could have significant financial implications. As an added bonus, this module came with a new library adding support for Laravel Framework-specific cryptography methods.
CVE-2024-55556 InvoiceShelf RCE – Everyone loves a good pairing, and this module continues h00die-gr3y’s work on invoicing software, showing that they’re useful for receiving more than just payments.
LDAP Password Disclosure – This module has been around for a while, but received some new features in 2025 for targeting Active Directory Domain Controllers. The first added support for LAPSv1 and v2, enabling the module to recover the local admin account on systems. Later in the year, a second improvement added support for gMSA accounts. This module also pairs nicely with the new SMB to LDAP NTLM Relay module we added this year as well.
This year, Metasploit significantly leveled up its relaying capabilities, transforming the framework’s only SMB to SMB relay capability into a powerful engine for lateral movement. Traditionally, SMB relaying was often the domain of standalone external tools, but through the dedicated work of the Metasploit team, these workflows are now seamlessly integrated into the framework
A huge thank you from the entire Metasploit team to all 66 contributors in 2025. Your contributions and ideas are what continue to improve this tool every year. Notably, 41 of these were first-time contributors who added new code.
Last week Metasploit released an exploit for the React2Shell vulnerability, and this week we have made a couple of improvements to the payloads that it uses. The first improvement affects all Metasploit modules. When an exploit is used, an initial payload is selected using some basic logic that effectively would make a selection from the first available in alphabetical order. Now Metasploit will prefer a default of x86 Meterpreters for Windows systems (since 32-bit payloads work on both 32-bit and 64-bit versions of Windows) and x64 Meterpreters for all other platforms including Linux. In the context of React2Shell, this means the payload now defaults to x64 for Linux instead of AARCH64.
Another improvement that only affects this exploit was the change of the default payload to one leveraging Node.js which is more likely to be present than the wget binary that was required. These defaults should hopefully help users get started with this high-impact exploit with more ease, but of course any compatible payload can still be selected.
Stay tuned for the Metasploit annual wrap-up and roadmap announcement coming up!
New module content (2)
N-able N-Central Authentication Bypass and XXE Scanner
Description: This adds an auxiliary module that exploits two CVEs affecting N-able N-Central. CVE-2025-9316, an Unauthenticated Session Bypass and CVE-2025-11700 a XXE (XML External Entity) vulnerability. The module combines both vulnerabilities to achieve unauthenticated file read on affected N-Central instances (versions < 2025.4.0.9).
Description: This adds an exploit module for a Server-Side Template Injection (SSTI) vulnerability (CVE-2025-66294) in Grav CMS, versions prior to 1.8.0-beta.27 , that allows bypassing the Twig sandbox to achieve remote code execution. To inject the malicious payload into a form's process section, this module leverages CVE-2025-66301, a broken access control flaw in the /admin/pages/{page_name} endpoint.
Enhancements and features (2)
#20424 from cdelafuente-r7 - Updates how vulnerabilities and services are reported by adding a resource field to both models. It also add a parents field to make layered services possible. An optional resource field can now be provided and the existing service field has been updated to also accept an option hash.
#20771 from zeroSteiner - Updates Metasploit's default payload selection logic to preference x86 payloads over AARCH64 payloads.
#20773 from jheysel-r7 - This updates the exploit for React2Shell with a better default payload.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
As you may have heard, on December 3, 2025, the React team announced a critical Remote Code Execution (RCE) vulnerability in servers using the React Server Components (RSC) Flight protocol. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0 and is informally known as "React2Shell". It allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto", "constructor", or "prototype" as module names. We're happy to announce that community contributor vognik submitted an exploit module for React2Shell which landed earlier this week and is included in this week's release.
MSSQL Improvements
Over the past couple of weeks Metasploit has made a couple of key improvements to the framework’s MSSQL attack capabilities. The first (PR 20637) is a new NTLM relay module, auxiliary/server/relay/smb_to_mssql, which enables users to start a malicious SMB server that will relay authentication attempts to one or more target MSSQL servers. When successful, the Metasploit operator will have an interactive session to the MSSQL server that can be used to run interactive queries, or MSSQL auxiliary modules.
Building on this work, it became clear that users would need to interact with MSSQL servers that required encryption as many do in hardened environments. To achieve that objective, issue 18745 was closed by updating Metasploits MSSQL protocol library to offer better encryption support. Now, Metasploit users can open interactive sessions to servers that offer and even require encrypted connections. This functionality is available automatically in the auxiliary/scanner/mssql/mssql_login and new auxiliary/server/relay/smb_to_mssql modules.
Description: This adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint.
Unauthenticated RCE in React and Next.js
Authors: Lachlan Davidson, Maksim Rogov, and maple3142
Description: This adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the user_role parameter during registration, enabling remote code execution through plugin upload.
Description: This extends our payloads support to a new architecture, LoongArch64. The first payload introduced for this new architecture is the reboot payload, which will cause the target system to restart once triggered.
Enhanced Modules (2)
Modules which have either been enhanced, or renamed:
#20747 from vognik - This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.
Enhancements and features (1)
#20704 from dwelch-r7 - The module auxiliary/scanner/ssh/ssh_login_pubkey has been removed. Its functionality has been moved into auxiliary/scanner/ssh/ssh_login.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
Login
