SolarWinds Web Help Desk

Our very own sfewer-r7 has developed an exploit module for the SolarWinds Web Help Desk vulnerabilities CVE-2025-40536 and CVE-2025-40551. On successful exploitation the session will be as running as NT AUTHORITY\SYSTEM. For more information see the Rapid7’s SolarWinds Web Help Desk Vulnerabilities guidance.

Contributions

A big thanks to our contributors who have been adding some great content this release. rudraditya21 has added MITRE ATT&CK metadata to lots of our existing modules. Chocapikk has added support for GHSA (GitHub Security Advisory) references support in Metasploit modules. rudraditya21 also added a change which adds negative caching to the LDAP entry cache, which will now mean missing objects are recorded. It also introduces a missing-entry sentinel, tracks misses per identifier type, and updates AD lookup helpers to short‑circuit on cached misses and record misses when a lookup returns no entry.

New module content (5)

FreeBSD rtsold/rtsol DNSSL Command Injection

Authors: Kevin Day and Lukas Johannes Möller

Type: Exploit

Pull request: #20798 contributed by JohannesLks

Path: freebsd/misc/rtsold_dnssl_cmdinject

AttackerKB reference: CVE-2025-14558

Description: This adds a new command-injection exploit in the FreeBDS rtsol/rtsold daemons (CVE-2025-14558). The vulnerability can be triggered by the Domain Name Search List (DNSSL) option in IPv6 Router Advertisement (RA) messages, which is passed to the resolvconf script without sanitization. It requires elevated privilege as it needs to send IPv6 packets. The injected commands are executed as root.

Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE

Authors: sfewer-r7 and watchTowr

Type: Exploit

Pull request: #20932 contributed by sfewer-r7

Path: linux/http/ivanti_epmm_rce

AttackerKB reference: CVE-2026-1340

Description: Adds an exploit module for the recent command injection vulnerability, CVE-2026-1281, affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron. Exploited in-the-wild as a zero-day by an unknown threat actor.

GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061

Authors: Kyu Neushwaistein and jheysel-r7

Type: Exploit

Pull request: #20929 contributed by jheysel-r7

Path: linux/telnet/gnu_inetutils_auth_bypass

AttackerKB reference: CVE-2026-24061

Description: This adds an exploit module for the authentication bypass in GNU Inetutils telnetd tracked as CVE-2026-24061. During negotiation, if the USER environment variable is passed in with a value of "-f root" authentication can be bypassed resulting in command execution as the root user.

SolarWinds Web Help Desk unauthenticated RCE

Authors: Jimi Sebree and sfewer-r7

Type: Exploit

Pull request: #20917 contributed by sfewer-r7

Path: multi/http/solarwinds_webhelpdesk_rce

AttackerKB reference: CVE-2025-40551

Description: This adds an exploit module for SolarWinds Web Help Desk vulnerable to CVE-2025-40536 and CVE-2025-40551. The exploit triggers session opening as NT AUTHORITY\SYSTEM and root.

Xerte Online Toolkits Arbitrary File Upload - Upload Image

Author: Brandon Lester

Type: Exploit

Pull request: #20849 contributed by haicenhacks

Path: multi/http/xerte_authenticated_rce_uploadimage

Description: This adds three RCE modules for Xerte Online Toolkits affecting versions 3.14.0 and <= 3.13.7. Two are unauthenticated while one is authenticated.

Enhancements and features (10)

• #20710 from Chocapikk - Adds support for GHSA (GitHub Security Advisory) and OSV (Open Source Vulnerabilities) references in Metasploit modules.
• #20886 from cdelafuente-r7 - Updates services to now also have child services. This allows for more detailed reporting for the services and vulns commands which can now report parent -> child services e.g. SSL -> HTTPS.
• #20895 from rudraditya21 - Adds negative caching to the LDAP entry cache so missing objects are recorded and subsequent lookups by DN, sAMAccountName, or SID return nil without re-querying the directory.
• #20934 from rudraditya21 - This adds MITRE ATT&CK tags to modules related to LDAP and AD CS. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
• #20935 from rudraditya21 - Adds the MITRE ATT&CK tag T1558.003 to the kerberoast modules. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
• #20936 from rudraditya21 - This adds MITRE ATT&CK tags to SMB modules related to accounts. This enables users to find the content by using Metasploit's search capability and the att&ck keyword.
• #20937 from rudraditya21 - This adds MITRE ATT&CK tags to the two existing SCCM modules that fetch NAA credentials using different techniques. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
• #20941 from rudraditya21 - Adds a MITRE ATT&CK technique reference to the Windows password cracking module to support ATT&CK‑driven discovery.
• #20942 from rudraditya21 - Adds MITRE ATT&CK technique references to getsystem, cve_2020_1472_zerologon, and atlassian_confluence_rce_cve_2023_22527 modules to support ATT&CK‑driven discovery.
• #20943 from g0tmi1k - Adds affected versions the description in the ‎exploits/unix/webapp/twiki_maketext module.

Bugs fixed (7)

• #20599 from BenoitDePaoli - Fixes an issue where running services -p <ports> -u -R to set RHOSTS with values from the database could lead to a silently failing file not found error.
• #20775 from rmtsixq - Fixes a database initialization failure when using msfdb init with the --connection-string option to connect to PostgreSQL 15+ instances (e.g., Docker containers).
• #20817 from randomstr1ng - Adds a fix to ensure the output of sap_router_portscanner no longer causes module crashes.
• #20903 from jheysel-r7 - Fixes an issue so #enum_user_directories no longer returns duplicate directories.
• #20906 from rudraditya21 - Implements a fix for SSH command shells dying on cmd_exec when a trailing newline was present.
• #20953 from zeroSteiner - Improves the stability of socket channeling support for SSH sessions opened via scanner/ssh/ssh_login.
• #20955 from adfoster-r7 - Ensures the cleanup of temporarily created RHOST files when using the services -p <ports> -u -R command to set RHOST values from the database.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.112...6.4.114
• Full diff 6.4.112...6.4.114

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Google Summer of Code 2026

Our very own Jack Heysel has added some documentation which outlines the Metasploit Framework project ideas for GSoC 2026. For anyone interested in applying please see GSoC-How-To-Apply documentation, or reach out on slack to any of the following GSoC mentors on Slack via the Metasploit Slack:

• @jheysel
• @zeroSteiner
• @h00die

Gladinet

This week Chocapikk has added some Gladinet CentreStack/Triofox exploitation capabilities. Adding two auxiliary modules and updating an existing exploit. The updated exploit module now accepts a custom MACHINEKEY option to leverage newly discovered vulnerabilities that allow the extraction of machineKeys from Web.config files. The gladinet_storage_path_traversal_cve_2025_11371 module exploits path traversal to read arbitrary files and extract machineKeys, while gladinet_storage_access_ticket_forge forges access tickets using hardcoded cryptographic keys.

New module content (1)

Gladinet CentreStack/Triofox Access Ticket Forge

Authors: Huntress Team, Julien Voisin, and Valentin Lobstein chocapikk@leakix.net

Type: Auxiliary

Pull request: #20768 contributed by Chocapikk 

Path: gather/gladinet_storage_access_ticket_forge

Description: This adds two auxiliary modules for Gladinet CentreStack/Triofox. Both modules can read arbitrary files and extract the machineKey, which is used to secure ASP.NET ViewState data. Furthermore, this change also includes a new mixin for Gladinet.

Enhancements and features (3)

• #20739 from cdelafuente-r7 - This adds MITRE ATT&CK metadata tags to modules relating to Kerberos and unconstrained delegation. This enables users to search for the content based on the ATT&CK technique ID.
• #20882 from karanabe - Adds the RSAKeySize advanced option and uses it when generating the CSR key pair, allowing users to increase key size to meet certificate template minimums and avoid CERTSRV_E_KEY_LENGTH errors when 2048-bit keys are rejected.
• #20883 from jheysel-r7 - Updates Kerberos modules to present a user friendly message when the user specifies the IMPERSONATE option when running a module but also forgets to specify IMPERSONATION_TYPE.

Bugs fixed (5)

• #20368 from isaac-app-dev - Fixes an issue that caused msfvenom to break if it were run from alternative directories.
• #20680 from cdelafuente-r7 - Improves the RPC API with multiple fixes and enhancements.
• #20834 from kuklycs - This fixes the NoMethodError in the team_viewer post module, caused by misuse of the each_key method. The keys array has been updated to a 1-D array to simplify the logic.
• #20916 from Chepycou - Fixes a crash when running the SAP modules sap_soap_rfc_system_info or sap_icf_public_info.
• #20920 from rudraditya21 - This fixes a bug in password cracking modules where the auto action would crash even when the path to a compatible executable was specified in CRACKER_PATH.

Documentation added (1)

• #20910 from jheysel-r7 - This adds documentation regarding the projects for which we are soliciting submissions for as part of the Google Summer of Code program.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.111...6.4.112
• Full diff 6.4.111...6.4.112

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

FreeBPX Content Galore

This week brings 3 new pieces of module content for targeting FreePBX. All three chain multiple vulnerabilities together, starting with CVE-2025-66039. This initial vulnerability allows unauthenticated users to bypass the authentication process to interact with FreePBX. From this point, the different modules leverage either a SQL injection vulnerability (CVE-2025-61675) or a file upload vulnerability (CVE-2025-61678) to obtain remote code execution.

New module content (7)

FreePBX endpoint SQLi to RCE

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20857 contributed by msutovsky-r7 Path: unix/http/freepbx_custom_extension_rce AttackerKB reference: CVE-2025-61675

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with a SQLi, CVE-2025-61675, which allows for a cron job to be added to the cron_job table of the database to allow for Remote Code Execution.

FreePBX firmware file upload

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20858 contributed by msutovsky-r7 Path: unix/http/freepbx_firmware_file_upload AttackerKB reference: CVE-2025-61678

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with an unrestricted file upload (via firmware upload), CVE-2025-61678, which allows for a webshell to be uploaded to the webserver resulting in remote code execution.

FreePBX Custom Extension SQL Injection

Authors: Noah King and msutovsky-r7 Type: Auxiliary Pull request: #20846 contributed by msutovsky-r7 Path: gather/freepbx_custom_extension_injection AttackerKB reference: CVE-2025-61675

Description: This adds an exploit module for FreePBX which chains an authentication bypass, (CVE-2025-66039) with an SQLi (CVE-2025-61675) to create an admin user in the database.

Cacti Graph Template authenticated RCE versions prior to 1.2.29

Authors: Jack Heysel and chutchut Type: Exploit Pull request: #20799 contributed by jheysel-r7 Path: multi/http/cacti_graph_template_rce AttackerKB reference: CVE-2025-24367

Description: This adds an exploit for CVE-2025-24367 which is an unauthenticated RCE in Cacti.

SmarterTools SmarterMail GUID File Upload Vulnerability

Authors: Piotr Bazydlo, Sina Kheirkhah, and jheysel-r7 Type: Exploit Pull request: #20866 contributed by jheysel-r7 Path: multi/http/smartermail_guid_file_upload AttackerKB reference: CVE-2025-52691

Description: This adds a module for unauthenticated file upload in SmarterTools SmaterMail (CVE-2025-52691). The vulnerability allows an unauthenticated user to upload a file to any location on the system using path traversal using the guid variable. The module will either drop a webshell in the webroot directory (if the target is Windows) or create a cron job by dropping a file in /etc/cron.d (if the target is Linux).

Burp Extension Persistence

Author: h00die Type: Exploit Pull request: #19821 contributed by h00die Path: multi/persistence/burp_extension

Description: This adds a new persistence module for BurpSuite. The module adds a malicious extension to both the Pro and Community versions, which is triggered when the user starts BurpSuite.

SSH Key Persistence

Authors: Dean Welch dean_welch@rapid7.com and h00die mike@shorebreaksecurity.com Type: Exploit Pull request: #20778 contributed by h00die Path: multi/persistence/ssh_key

Description: Combines the Windows and Linux ssh key persistence modules.

Enhancements and features (1)

• #20778 from h00die - Combines the Windows and Linux ssh key persistence modules.

Bugs fixed (3)

• #20897 from h00die - This fixes a bug that was preventing collected hash data from being formatted as input for the John the Ripper cracker. The result is that users can now once again crack passwords using John.
• #20902 from rudraditya21 - This fixes a bug in the auxiliary/scanner/ssh/ssh_login module that would incorrectly state that a login failed when it in fact succeeded but the module was unable to open a session. This was only an issue when the CreateSession option is true.
• #20909 from adfoster-r7 - Fixes a bug in Metasploit Pro that reported false positives for HTTP bruteforcing.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.110...6.4.111
• Full diff 6.4.110...6.4.111

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Oracle E-Business Suite Unauth RCE

This week, we are pleased to announce the addition of a module that exploits CVE-2025-61882, a pre-authentication remote code execution vulnerability in Oracle E-Business Suite versions 12.2.3 through 12.2.14. The exploit chains multiple flaws—including SSRF, path traversal, HTTP request smuggling, and XSLT injection—to coerce the target into fetching and executing a malicious XSL file hosted by the attacker. Successful exploitation results in arbitrary command execution and an interactive shell on both Linux/Unix and Windows targets. The module is reliable, repeatable, and we here at Metasploit hope you enjoy it, happy hacking!

New module content (3)

Authenticated RCE in Splunk (splunk_archiver app)

Authors: Alex Hordijk, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: linux/http/splunk_auth_rce_cve_2024_36985 AttackerKB reference: CVE-2024-36985

Description: This adds two separate Metasploit exploit modules targeting Remote Code Execution (RCE) vulnerabilities in Splunk Enterprise. CVE-2024-36985 exploits unsafe use of the "copybuckets" lookup function within the splunk_archiver application, resulting in execution of the sudobash helper script with attacker-controlled arguments. Affected versions: All releases prior to 9.0.10, 9.1.2 through 9.1.5, 9.2.0 through 9.2.2 CVE-2022-43571, exploits a Python code injection vulnerability in Splunk SimpleXML dashboards by injecting malicious code into sparkline style parameters. Malicious code is executed when a user exports the dashboard to PDF. Affected versions: All releases prior to 8.1.12, 8.2.0 through 8.2.9, 9.0.0 through 9.0.2.

Oracle E-Business Suite CVE-2025-61882 RCE

Authors: Mathieu Dupas and watchTowr (Sonny, Sina Kheirkhah, Jake Knott) Type: Exploit Pull request: #20750 contributed by MatDupas Path: multi/http/oracle_ebs_cve_2025_61882_exploit_rce AttackerKB reference: CVE-2025-61882

Description: This adds an exploit for CVE-2025-61882, a critical Remote Code Execution (RCE) vulnerability in Oracle E-Business Suite (EBS). The flaw allows unauthenticated attackers to execute arbitrary code by leveraging a combination of SSRF, HTTP request smuggling and XSLT injection. Affected Versions: Oracle E-Business Suite, 12.2.3-12.2.14.

Authenticated RCE in Splunk (SimpleXML dashboard PDF generation)

Authors: Danylo Dmytriiev, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: multi/http/splunk_auth_rce_cve_2022_43571 AttackerKB reference: CVE-2022-43571

Description: This adds two separate Metasploit exploit modules targeting Remote Code Execution (RCE) vulnerabilities in Splunk Enterprise. CVE-2024-36985 exploits unsafe use of the "copybuckets" lookup function within the splunk_archiver application, resulting in execution of the sudobash helper script with attacker-controlled arguments. Affected versions: All releases prior to 9.0.10, 9.1.2 through 9.1.5, 9.2.0 through 9.2.2 CVE-2022-43571, exploits a Python code injection vulnerability in Splunk SimpleXML dashboards by injecting malicious code into sparkline style parameters. Malicious code is executed when a user exports the dashboard to PDF. Affected versions: All releases prior to 8.1.12, 8.2.0 through 8.2.9, 9.0.0 through 9.0.2.

Enhancements and features (3)

• #20755 from rudraditya21 - This adds an advanced datastore option, KrbClockSkew, to modules that use Kerberos authentication, allowing operators to adjust the Kerberos clock from the Metasploit side to fix clock skew errors.
• #20840 from xaitax - This updates the MongoBleed auxiliary module and adds new options. The module can now use Wiz Magic Packet to detect the vulnerability quickly; it can detect compression libraries used by MongoDB (and warns or stops the user if zlib is not enabled). The module can also reuse the MongoDB socket connection during memory scanning, which significantly improves performance. Finally, it can better leak secrets, either by pattern matching or by storing the extracted information in raw or JSON format.
• #20861 from bcoles - Adds multiple improvements to get_hostname resolution logic for post exploitation modules.

Bugs fixed (1)

• #20888 from jheysel-r7 - Fixes an issue that caused dMSA kerberos authentication to fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.108...6.4.110
• Full diff 6.4.108...6.4.110

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Persistence, dMSA Abuse & RCE Goodies

This week, we have received a lot of contributions from the community, such as h00die, Chocapikk and countless others, which is greatly appreciated. This week’s modules and improvements in Metasploit Framework range from new modules, such as dMSA Abuse (resulting in escalation of privilege in Windows Active Directory environments), authenticated and unauthenticated RCE modules, as well as many improvements and additions to the persistence modules and techniques.

New module content (13)

BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory

Authors: AngelBoy, Spencer McIntyre, and jheysel-r7

Type: Auxiliary

Pull request: #20472 contributed by jheysel-r7 

Path: admin/ldap/bad_successor

Description: This adds an exploit for "BadSuccessor" which is a vulnerability whereby a user with permissions to an Organizational Unit (OU) in Active Directory can create a Delegated Managed Service Account (dMSA) account in such a way that it can lead to the issuance of a Kerberos ticket for an arbitrary user.

Control Web Panel /admin/index.php Unauthenticated RCE

Authors: Egidio Romano and Lukas Johannes Möller

Type: Exploit

Pull request: #20806 contributed by JohannesLks 

Path: linux/http/control_web_panel_api_cmd_exec 

AttackerKB reference: CVE-2025-67888

Description: This adds a new module for Control Web Panel (CVE-2025-67888). The vulnerability is unauthenticated OS command injection through an exposed API. The modules require Softaculous to be installed.

Prison Management System 1.0 Authenticated RCE via Unrestricted File Upload

Author: Alexandru Ionut Raducu

Type: Exploit

Pull request: #20811 contributed by Xorriath 

Path: linux/http/prison_management_rce 

AttackerKB reference: CVE-2024-48594

Description: This adds a new module for Prison Management System 1.0 (CVE-2024-48594). The module requires admin credentials, which are subsequently used to exploit unrestricted file upload to upload a webshell.

udev Persistence

Author: Julien Voisin

Type: Exploit

Pull request: #20796 contributed by h00die 

Path: linux/persistence/udev

Description: This moves the udev persistence module into the persistence category and adds the persistence mixin.

n8n Workflow Expression Remote Code Execution

Author: Lukas Johannes Möller

Type: Exploit

Pull request: #20810 contributed by JohannesLks 

Path: multi/http/n8n_workflow_expression_rce

AttackerKB reference: CVE-2025-68613

Description: This adds a new module for n8n (CVE-2025-68613). The vulnerability is authenticated remote code execution in the workflow expression evaluation engine. The module requires credentials to create a malicious workflow that executes system commands via a JavaScript payload.

Web-Check Screenshot API Command Injection RCE

Author: Valentin Lobstein chocapikk@leakix.net 

Type: Exploit

Pull request: #20791 contributed by Chocapikk 

Path: multi/http/web_check_screenshot_rce 

AttackerKB reference: CVE-2025-32778

Description: Adds an exploit module for CVE-2025-32778, a command injection vulnerability in Web-Check's screenshot API endpoint which allows unauthenticated remote code execution by injecting shell commands via URL query parameters in the /api/screenshot endpoint.

Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key

Authors: OJ Reeves and h00die

Type: Exploit

Pull request: #20751 contributed by h00die 

Path: windows/persistence/accessibility_features_debugger

Description: This updates the Windows sticky keys post persistence module to use the new persistence mixin.

WMI Event Subscription Event Log Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_event_log

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Interval Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_interval

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Process Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_process

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Logon Timer Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_uptime

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

Linux Chmod

Author: bcoles bcoles@gmail.com 

Type: Payload (Single)

Pull request: #20845 contributed by bcoles 

Path: linux/armle/chmod and linux/aarch64/chmod

Description: Adds Linux ARM 32-bit / 64-bit Little Endian chmod payloads.

Enhancements and features (7)

• #20706 from h00die - Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
• #20751 from h00die - This updates the Windows sticky keys post persistence module to use the new persistence mixin.
• #20785 from Chocapikk - This adds Waku framework support to the existing react2shell module. Waku is a minimal React framework which differs slightly compared to Node.js. The module maintains backward compatibility with existing Next.js targets while adding Waku support through a modular framework configuration system.
• #20786 from zeroSteiner - This updates the module code to merge the target Arch and Platform entries into the module's top level data. Prior to this change module developers had to define Arch and Platform entries twice, once at the module level and again per individual target. This updates over 500 modules and removes that duplication.
• #20796 from h00die - This moves the udev persistence into the persistence category and adds the persistence mixin.
• #20853 from zeroSteiner - Bumps metapsloit-payloads to 2.0.239.
• #20855 from h00die - Adds additional ATT&CK references to persistence modules.

Bugs fixed (2)

• #20738 from Shubham0699 - This fixes an issue in the bailiwicked DNS modules that was causing the module to fail with a stack trace due to a programming error.
• #20847 from dwelch-r7 - This updates the auxiliary/scanner/ssh/ssh_login module to remove stale documentation, remove unnecessary characters that were printed in the output and update the correct documentation with the new information about key usage.

Documentation added (1)

• #20665 from basicallyabidoof - Adds documentation for the ipv6_neighbor_router_advertisement module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.106...6.4.107
• Full diff 6.4.106...6.4.107

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

RISC-V Payloads

This week brings more RISC-V payloads from community member bcoles. One provides a new adapter which allows RISC-V payloads to be converted to commands and delivered as a Metasploit fetch-payload. The second is a classic bind shell, offering the user interactive connectivity to the target host. Both of these go a long way in improving Metasploit’s support for RISC-V systems.

Annual Wrap Up

With a new year comes a new annual wrap up. Earlier this week, the Metasploit project posted the annual wrap up covering notable changes from 2025.

New module content (4)

Taiga tribe_gig authenticated unserialize remote code execution

Authors: rootjog and whotwagner

Type: Exploit

Pull request: #20700 contributed by whotwagner 

Path: multi/http/taiga_tribe_gig_unserial

AttackerKB reference: CVE-2025-62368

Description: This adds a new module for authenticated deserialization vulnerability in Taiga.io (CVE-2025-62368). The module sends malicious data to exposed API, which performs unsafe deserialization, leading to remote code execution.

Python Site-Specific Hook Persistence

Author: msutovsky-r7

Type: Exploit

Pull request: #20692 contributed by msutovsky-r7 

Path: multi/persistence/python_site_specific_hook

Description: This adds a persistence module which leverages Python's startup mechanism, where some files can be automatically processed during the initialization of the Python interpreter. Someof those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism if an attacker has established access to the target machine with sufficient permissions.

Add Linux RISC-V command payload adapters

Authors: bcoles bcoles@gmail.com 

Type: Payload (Adapter)

Pull request: #20734 contributed by bcoles

Description: This extends fetch payloads for RISC-V targets.

Linux Command Shell, Bind TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20733 contributed by bcoles 

Path: linux/riscv32le/shell_bind_tcp

Description: This adds a new payload: a bind shell for Linux RISC-V targets.

Bugs fixed (2)

• #20370 from msutovsky-r7 - Fixes an issue that occurred when negotiating the SMB version and the server uses an unknown dialect. Now, the login function will throw an exception and exit gracefully.
• #20744 from ptrstr - This fixes a bug in unix/webapp/wp_reflexgallery_file_upload where the current year and month were being hardcoded in the request. This caused the server to reject the exploit if there was no folder in wp-content/uploads for that specific year and month. Now the year and month are configurable datastore options.

Documentation added (1)

• #20831 from DataExplorerX - This adds link to issues in Metasploit Framework Github repository.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.105...6.4.106
• Full diff 6.4.105...6.4.106

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

React2Shell Payload Improvements

Last week Metasploit released an exploit for the React2Shell vulnerability, and this week we have made a couple of improvements to the payloads that it uses. The first improvement affects all Metasploit modules. When an exploit is used, an initial payload is selected using some basic logic that effectively would make a selection from the first available in alphabetical order. Now Metasploit will prefer a default of x86 Meterpreters for Windows systems (since 32-bit payloads work on both 32-bit and 64-bit versions of Windows) and x64 Meterpreters for all other platforms including Linux. In the context of React2Shell, this means the payload now defaults to x64 for Linux instead of AARCH64.

Another improvement that only affects this exploit was the change of the default payload to one leveraging Node.js which is more likely to be present than the wget binary that was required. These defaults should hopefully help users get started with this high-impact exploit with more ease, but of course any compatible payload can still be selected.

Stay tuned for the Metasploit annual wrap-up and roadmap announcement coming up!

New module content (2)

N-able N-Central Authentication Bypass and XXE Scanner

Authors: Valentin Lobstein chocapikk@leakix.net and Zach Hanley (Horizon3.ai)

Type: Auxiliary

Pull request: #20713 contributed by Chocapikk 

Path: scanner/http/nable_ncentral_auth_bypass_xxe

AttackerKB reference: CVE-2025-11700

Description: This adds an auxiliary module that exploits two CVEs affecting N-able N-Central. CVE-2025-9316, an Unauthenticated Session Bypass and CVE-2025-11700 a XXE (XML External Entity) vulnerability. The module combines both vulnerabilities to achieve unauthenticated file read on affected N-Central instances (versions < 2025.4.0.9).

Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE

Author: Tarek Nakkouch

Type: Exploit

Pull request: #20749 contributed by nakkouchtarek 

Path: multi/http/grav_twig_ssti_sandbox_bypass_rce

AttackerKB reference: CVE-2025-66301

Description: This adds an exploit module for a Server-Side Template Injection (SSTI) vulnerability (CVE-2025-66294) in Grav CMS, versions prior to 1.8.0-beta.27 , that allows bypassing the Twig sandbox to achieve remote code execution. To inject the malicious payload into a form's process section, this module leverages CVE-2025-66301, a broken access control flaw in the /admin/pages/{page_name} endpoint.

Enhancements and features (2)

• #20424 from cdelafuente-r7 - Updates how vulnerabilities and services are reported by adding a resource field to both models. It also add a parents field to make layered services possible. An optional resource field can now be provided and the existing service field has been updated to also accept an option hash.
• #20771 from zeroSteiner - Updates Metasploit's default payload selection logic to preference x86 payloads over AARCH64 payloads.
• #20773 from jheysel-r7 - This updates the exploit for React2Shell with a better default payload.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.102...6.4.103
• Full diff 6.4.102...6.4.103

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

React2shell Module

As you may have heard, on December 3, 2025, the React team announced a critical Remote Code Execution (RCE) vulnerability in servers using the React Server Components (RSC) Flight protocol. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0 and is informally known as "React2Shell". It allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto", "constructor", or "prototype" as module names. We're happy to announce that community contributor vognik submitted an exploit module for React2Shell which landed earlier this week and is included in this week's release.

MSSQL Improvements

Over the past couple of weeks Metasploit has made a couple of key improvements to the framework’s MSSQL attack capabilities. The first (PR 20637) is a new NTLM relay module, auxiliary/server/relay/smb_to_mssql, which enables users to start a malicious SMB server that will relay authentication attempts to one or more target MSSQL servers. When successful, the Metasploit operator will have an interactive session to the MSSQL server that can be used to run interactive queries, or MSSQL auxiliary modules.

Building on this work, it became clear that users would need to interact with MSSQL servers that required encryption as many do in hardened environments. To achieve that objective, issue 18745 was closed by updating Metasploits MSSQL protocol library to offer better encryption support. Now, Metasploit users can open interactive sessions to servers that offer and even require encrypted connections. This functionality is available automatically in the auxiliary/scanner/mssql/mssql_login and new auxiliary/server/relay/smb_to_mssql modules.

New module content (5)

Magento SessionReaper

Authors: Blaklis, Tomais Williamson, and Valentin Lobstein chocapikk@leakix.net 

Type: Exploit

Pull request: #20725 contributed by Chocapikk 

Path:multi/http/magento_sessionreaper

AttackerKB reference: CVE-2025-54236

Description: This adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint.

Unauthenticated RCE in React and Next.js

Authors: Lachlan Davidson, Maksim Rogov, and maple3142

Type: Exploit

Pull request: #20760 contributed by sfewer-r7 

Path: multi/http/react2shell_unauth_rce_cve_2025_55182 

AttackerKB reference: CVE-2025-66478

Description: This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE

Authors: Peter Thaleikis and Valentin Lobstein chocapikk@leakix.net 

Type: Exploit

Pull request: #20746 contributed by Chocapikk 

Path: multi/http/wp_king_addons_privilege_escalation 

AttackerKB reference: CVE-2025-8489

Description: This adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the user_role parameter during registration, enabling remote code execution through plugin upload.

Linux Reboot

Author: bcoles bcoles@gmail.com 

Type: Payload (Single)

Pull request: #20682 contributed by bcoles 

Path:linux/loongarch64/reboot

Description: This extends our payloads support to a new architecture, LoongArch64. The first payload introduced for this new architecture is the reboot payload, which will cause the target system to restart once triggered.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #20736 from sfewer-r7 - This pull requests updates the exploit/linux/http/fortinet_fortiweb_rce module (added in https://github.com/rapid7/metasploit-framework/pull/20717) to add in support for older version of FortiWeb, versions 6.*, which are no longer under support from the vendor.
• #20747 from vognik - This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

Enhancements and features (1)

• #20704 from dwelch-r7 - The module auxiliary/scanner/ssh/ssh_login_pubkey has been removed. Its functionality has been moved into auxiliary/scanner/ssh/ssh_login.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.101...6.4.102
• Full diff 6.4.101...6.4.102

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Twonky Auth Bypass, RCEs and RISC-V Reverse Shell Payloads

This was another fantastic week in terms of PR contribution to the Metasploit Framework. Rapid7’s very own Ryan Emmons recently disclosed CVE-2025-13315 and CVE-2025-13316 which exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). The auxiliary module Ryan submitted which exploits both of these CVEs was released this week. Community contributor Valentin Lobsein aka Chocapikk has returned to the PR queue with a welcomed vengeance. Two modules from Chocapikk were landed this week, a Monsta FTP downloadFile Remote Code Execution module along with a WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE. In addition to some awesome module content, community contributor bcoles added Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

New module content (5)

Twonky Server Log Leak Authentication Bypass

Author: remmons-r7

Type: Auxiliary

Pull request: #20709 contributed by remmons-r7 

Path: gather/twonky_authbypass_logleak 

AttackerKB reference: CVE-2025-13316

Description: This module exploits two CVEs: CVE-2025-13315 and CVE-2025-13316. Both CVEs exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). Then, because the module uses hardcoded keys, it decrypts those credentials.

Monsta FTP downloadFile Remote Code Execution

Authors: Valentin Lobstein chocapikk@leakix.net, msutovsky-r7, and watchTowr Labs

Type: Exploit

Pull request: #20718 contributed by Chocapikk 

Path: multi/http/monsta_ftp_downloadfile_rce 

AttackerKB reference: CVE-2025-34299

Description: This add module for CVE-2025-34299. The module exploits a vulnerability in the downloadFile action which allows an attacker to connect to a malicious FTP server and download arbitrary files to arbitrary locations on the Monsta FTP server.

WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE

Authors: Emiliano Versini, Khaled Alenazi (Nxploited), Valentin Lobstein chocapikk@leakix.net, and dledda-r7

Type: Exploit

Pull request: #20720 contributed by Chocapikk 

Path: multi/http/wp_ai_engine_mcp_rce 

AttackerKB reference: CVE-2025-11749

Description: This adds a new exploit module for an unauthenticated vulnerability in the WordPress AI Engine plugin, which has over 100,000 active installations. The vulnerability allows an attacker to create an administrator account via the MCP (Model Context Protocol) endpoint without authentication, then upload and execute a malicious plugin to achieve remote code execution. The vulnerability is being tracked as CVE-2025-11749.

Linux Command Shell, Reverse TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20712 contributed by bcoles 

Path: linux/riscv32le/shell_reverse_tcp

Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

Linux Command Shell, Reverse TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20712 contributed by bcoles 

Path: linux/riscv64le/shell_reverse_tcp

Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

Enhancements and features (3)

• #20658 from jheysel-r7 - This adds a number of accuracy enhancements to the ldap_esc_vulnerable_cert_finder module. It also adds a CertificateAuthorityRhost datastore option to the esc_update_ldap_object module so the operator can specify an IP Address explicitly in cases where the hostname cannot be resolved via DNS.
• #20677 from zeroSteiner - This enables sessions to MSSQL servers that require encryption. These changes add a new MsTds::Channel which leverages Rex's socket abstraction to facilitate the necessary encapsulation for the TLS negotiation.
• #20741 from SaiSakthidar - This removes CAIN as an output format for collected hashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.100...6.4.101
• Full diff 6.4.100...6.4.101

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

This week, we have added 10 new modules to Metasploit Framework including an SMB to MSSQL relay module, a remote code execution module targeting Fortinet software, additional 32-bit and 64-bit RISC-V payloads, and more.

The SMB to MSSQL NTLM relay module allows users to open MSSQL sessions and run arbitrary queries against a target upon success. This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server. This allows for more attack paths, credential gathering, as well as unlocking additional lateral movement and data exfiltration capabilities.

New module content (10)

Microsoft Windows SMB to MSSQL Relay

Author: Spencer McIntyre Type: Auxiliary Pull request: #20637 contributed by zeroSteiner Path: server/relay/smb_to_mssql

Description: Adds a new NTLM relay module for relaying from SMB to MSSQL servers. On success, an MSSQL session will be opened to allow the user to run arbitrary queries and some modules.

Fortinet FortiWeb unauthenticated RCE

Authors: Defused and sfewer-r7 Type: Exploit Pull request: #20717 contributed by sfewer-r7 Path: linux/http/fortinet_fortiweb_rce AttackerKB reference: CVE-2025-58034

Description: Adds a new module chaining FortiWeb vulnerabilities CVE-20205-64446 and CVE-2025-58034 to gain unauthenticated code execution on a FortiWeb server.

IGEL OS Privilege Escalation (via systemd service)

Author: Zack Didcott Type: Exploit Pull request: #20702 contributed by Zedeldi Path: linux/local/igel_network_priv_esc

Description: Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.

IGEL OS Persistent Payload

Author: Zack Didcott Type: Exploit Pull request: #20702 contributed by Zedeldi Path: linux/persistence/igel_persistence

Description: Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.

Flowise Custom MCP Remote Code Execution

Authors: Assaf Levkovich and Valentin Lobstein chocapikk@leakix.net Type: Exploit Pull request: #20705 contributed by Chocapikk Path: multi/http/flowise_custommcp_rce AttackerKB reference: CVE-2025-8943

Description: This adds two modules for two vulnerabilities in Flowise (CVE-2025-59528, CVE-2025-8943). The modules add an option to use Flowise credentials for authentication when the application requires it, enabling exploitation of vulnerabilities.

Flowise JS Injection RCE

Authors: Kim SooHyun (im-soohyun), Valentin Lobstein chocapikk@leakix.net, and nltt0 Type: Exploit Pull request: #20705 contributed by Chocapikk Path: multi/http/flowise_js_rce AttackerKB reference: CVE-2025-59528

Description: This adds two modules for two vulnerabilities in Flowise (CVE-2025-59528, CVE-2025-8943). The modules add an option to use Flowise credentials for authentication when the application requires it, enabling exploitation of vulnerabilities.

Notepad++ Plugin Persistence

Author: msutovsky-r7 Type: Exploit Pull request: #20685 contributed by msutovsky-r7 Path: windows/persistence/notepadpp_plugin_persistence

Description: Adds a persistence module for Notepad++ by adding a malicious plugin to Notepad++, as it blindly loads and executes DLLs from its plugin directory on startup.

Linux Chmod 32-bit

Author: bcoles bcoles@gmail.com Type: Payload (Single) Pull request: #20703 contributed by bcoles Path: linux/riscv32le/chmod

Description: Adds Linux RISC-V 32-bit / 64-bit Little Endian chmod payloads.

Linux Chmod 64-bit

Author: bcoles bcoles@gmail.com Type: Payload (Single) Pull request: #20703 contributed by bcoles Path: linux/riscv64le/chmod

Description: Adds Linux RISC-V 32-bit / 64-bit Little Endian chmod payloads.

IGEL OS Dump File

Author: Zack Didcott Type: Post Pull request: #20702 contributed by Zedeldi Path: linux/gather/igel_dump_file

Description: Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.

Bugs fixed (3)

• #20482 from rodolphopivetta - This fixes a bug in HTTP-based login scanners, when SSL is enabled and a non-default HTTPS port is used.
• #20693 from dledda-r7 - This fixes race condition in preloading extension klasses during bootstrap.
• #20721 from cpomfret-r7 - Fixes a crash when running a Nexpose scan that had a Nexpose Scan Assistant credential present.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.99...6.4.100
• Full diff 6.4.99...6.4.100

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

CVE-2025-64446 - Fortinet’s FortiWeb exploitation

A critical vulnerability in Fortinet’s FortiWeb Web Application Firewall, now assigned CVE-2025-64446 (CVSS 9.1), allows unauthenticated attackers to gain full administrator access to the FortiWeb Manager interface and its websocket CLI. The flaw became publicly known on October 6, 2025, after Defused shared a proof-of-concept exploit captured by their honeypots. Metasploit now has support for an auxiliary module admin/http/fortinet_fortiweb_create_admin which can be used to create a new administrative user, and an upcoming exploit module targeting Fortinet FortiWeb that exploits CVE-2025-64446 and CVE-2025-58034 for an authenticated command injection that allows for root OS command execution. For more details see Rapid7’s analysis on CVE-2025-64446

New module content (3)

Fortinet FortiWeb create new local admin

Authors: Defused and sfewer-r7

Type: Auxiliary Pull request: #20698 contributed by sfewer-r7

Path: admin/http/fortinet_fortiweb_create_admin

AttackerKB reference: CVE-2025-64446

Description: Adds a module for the recent FortiWeb 8.0.1 authentication bypass vulnerability allowing an attacker to create a new administrative user. The exploit is based on the PoC published by Defused.

Windows Persistent Service Installer

Authors: Green-m greenm.xxoo@gmail.com and h00die

Type: Exploit Pull request: #20638 contributed by h00die

Path: windows/persistence/service

Description: Updates the Windows service persistence to use the new mixin, adds the ability to run as either Powershell or sc.exe, and uses more libraries.

Windows WSL via Registry Persistence

Authors: Joe Helle and h00die

Type: Exploit

Pull request: #20701 contributed by h00die

Path: windows/persistence/wsl/registry

Description: Adds a new Windows persistence module - the WSL registry module. The module will create registry entries (Run, RunOnce) to run a Linux payload stored in WSL.

Enhancements and features (5)

• #20560 from cdelafuente-r7 - Adds references to MITRE ATT&CK technique T1021 "Remote Services" and its sub-techniques.
• #20638 from h00die - Updates the windows service persistence to use the new mixin, adds the ability to run as either Powershell or sc.exe, and uses more libraries.
• #20689 from zeroSteiner - Add tests for socket channels in Meterpreter and SSH sessions.
• #20699 from sfewer-r7 - Adds the CVE number and further guidance on vulnerable versions for the vulnerability.
• #20707 from bcoles - Updates multiple Linux reboot payloads to note that CAP_SYS_BOOT privileges are required.

Bugs fixed (2)

• #20687 from dwelch-r7 - This updates the auxiliary/scanner/winrm/winrm_login module to catch access denied errors when trying to create a shell session. This is then used to inform the operator that the target account's password is correct but they do not have permissions to start a shell with WinRM.
• #20695 from zeroSteiner - Updates the Java and PHP Meterpreter to send the local address and local port information back to Metasploit when opening TCP or UDP sockets on the remote host.
• #20708 from cdelafuente-r7 - Fixes a bug with msfdb when attempting to execute the program with bundle exec.
• #20711 from bcoles - Fixes description for AppendExit datastore option.

Documentation added (1)

• #20694 from cgranleese-r7 - Adds new documentation on Metasploit's post module support. Additionally adds documentation for the new create_process API that supersedes the legacy cmd_exec API.

You can always find more documentation on our docsite at docs.metasploit.com.

Missing rn-* label on Github (4)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.98...6.4.99
• Full diff 6.4.98...6.4.99

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

It has “SUS” in the name, what did you expect?

This week’s release features the much-hyped CVE-2025-59287, a Critical-Severity Windows Server Update Service (WSUS) vulnerability that allows for SYSTEM level remote code execution. Documented among the multiple recent zero-days in Windows, the vulnerability affects Windows Servers running the WSUS service, which is not enabled by default. Several vendors, including Huntress and Eye Security have reported seeing the exploit used in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) ordered US government agencies to patch affected machines last month.

New module content (1)

Windows Server Update Service Deserialization Remote Code Execution

Authors: msutovsky-r7 and mwulftange

Type: Exploit

Pull request: #20674 contributed by msutovsky-r7 

Path: windows/http/wsus_deserialization_rce 

AttackerKB reference: CVE-2025-59287

Description: Adds a module targeting CVE-2025-59287, an unauthenticated deserialization vulnerability in the Windows Server Update Service (WSUS) resulting in remote code execution as SYSTEM

Enhancements and features (3)

• #20576 from msutovsky-r7 - This updates the LINQPad persistence module to use the new persistence mixin.
• #20669 from stfnw - This updates the auxiliary/scanner/http/azure_ad_login module to print the domain and username in error messages. This enables users to understand what user caused the error.
• #20690 from dbono-r7 - This adds the cert pipe to the list of known pipes that will be checked by the auxiliary/scanner/smb/pipe_auditor module. This effectively enables users to identify when the MS-ICPR interface is available because Active Directory Certificate Services (AD CS) is in use.

Documentation (1)

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

• #20625 from h00die - Improved multiple modules’ documentation to have consistent formatting.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.97...6.4.98
• Full diff 6.4.97...6.4.98

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

New module content (3)

Centreon authenticated command injection leading to RCE via broker engine "reload" parameter

Author: h00die-gr3y h00die.gr3y@gmail.com

Type: Exploit

Pull request: #20672 contributed by h00die-gr3y

Path: linux/http/centreon_auth_rce_cve_2025_5946

AttackerKB reference: CVE-2025-5946

Description: Adds an exploit module for Centreon. The vulnerability, an authenticated command injection, will lead to a remote code execution.

Rootkit Privilege Escalation Signal Hunter

Author: bcoles bcoles@gmail.com

Type: Exploit

Pull request: #20643 contributed by bcoles

Path: linux/local/rootkit_privesc_signal_hunter

Description: Expands diamorphine privilege escalation module to other rootkits that use signal handling for privilege escalation.

Windows Persistent Task Scheduler

Author: h00die

Type: Exploit

Pull request: #20660 contributed by h00die

Path: windows/persistence/task_scheduler

Description: This adds a new persistence module for Windows - the task scheduler module. The module will create scheduled tasks depending on the ScheduleType option.

Enhancements and features (2)

• #20523 from h00die - This updates the upstart persistence to use the new persistence mixin.
• #20643 from bcoles - Expands diamorphine privilege escalation module to other rootkits, which use signal handling for privilege escalation.

Bugs fixed (1)

• #20673 from adfoster-r7 - Temporarily pins date dependency to 3.4.1 due to possible issues associated with 3.5.0 to allow for further testing.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.96...6.4.97
• Full diff 6.4.96...6.4.97

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro