React2shell Module

As you may have heard, on December 3, 2025, the React team announced a critical Remote Code Execution (RCE) vulnerability in servers using the React Server Components (RSC) Flight protocol. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0 and is informally known as "React2Shell". It allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto", "constructor", or "prototype" as module names. We're happy to announce that community contributor vognik submitted an exploit module for React2Shell which landed earlier this week and is included in this week's release.

MSSQL Improvements

Over the past couple of weeks Metasploit has made a couple of key improvements to the framework’s MSSQL attack capabilities. The first (PR 20637) is a new NTLM relay module, auxiliary/server/relay/smb_to_mssql, which enables users to start a malicious SMB server that will relay authentication attempts to one or more target MSSQL servers. When successful, the Metasploit operator will have an interactive session to the MSSQL server that can be used to run interactive queries, or MSSQL auxiliary modules.

Building on this work, it became clear that users would need to interact with MSSQL servers that required encryption as many do in hardened environments. To achieve that objective, issue 18745 was closed by updating Metasploits MSSQL protocol library to offer better encryption support. Now, Metasploit users can open interactive sessions to servers that offer and even require encrypted connections. This functionality is available automatically in the auxiliary/scanner/mssql/mssql_login and new auxiliary/server/relay/smb_to_mssql modules.

New module content (5)

Magento SessionReaper

Authors: Blaklis, Tomais Williamson, and Valentin Lobstein chocapikk@leakix.net 

Type: Exploit

Pull request: #20725 contributed by Chocapikk 

Path:multi/http/magento_sessionreaper

AttackerKB reference: CVE-2025-54236

Description: This adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint.

Unauthenticated RCE in React and Next.js

Authors: Lachlan Davidson, Maksim Rogov, and maple3142

Type: Exploit

Pull request: #20760 contributed by sfewer-r7 

Path: multi/http/react2shell_unauth_rce_cve_2025_55182 

AttackerKB reference: CVE-2025-66478

Description: This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE

Authors: Peter Thaleikis and Valentin Lobstein chocapikk@leakix.net 

Type: Exploit

Pull request: #20746 contributed by Chocapikk 

Path: multi/http/wp_king_addons_privilege_escalation 

AttackerKB reference: CVE-2025-8489

Description: This adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the user_role parameter during registration, enabling remote code execution through plugin upload.

Linux Reboot

Author: bcoles bcoles@gmail.com 

Type: Payload (Single)

Pull request: #20682 contributed by bcoles 

Path:linux/loongarch64/reboot

Description: This extends our payloads support to a new architecture, LoongArch64. The first payload introduced for this new architecture is the reboot payload, which will cause the target system to restart once triggered.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #20736 from sfewer-r7 - This pull requests updates the exploit/linux/http/fortinet_fortiweb_rce module (added in https://github.com/rapid7/metasploit-framework/pull/20717) to add in support for older version of FortiWeb, versions 6.*, which are no longer under support from the vendor.
• #20747 from vognik - This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

Enhancements and features (1)

• #20704 from dwelch-r7 - The module auxiliary/scanner/ssh/ssh_login_pubkey has been removed. Its functionality has been moved into auxiliary/scanner/ssh/ssh_login.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.101...6.4.102
• Full diff 6.4.101...6.4.102

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Twonky Auth Bypass, RCEs and RISC-V Reverse Shell Payloads

This was another fantastic week in terms of PR contribution to the Metasploit Framework. Rapid7’s very own Ryan Emmons recently disclosed CVE-2025-13315 and CVE-2025-13316 which exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). The auxiliary module Ryan submitted which exploits both of these CVEs was released this week. Community contributor Valentin Lobsein aka Chocapikk has returned to the PR queue with a welcomed vengeance. Two modules from Chocapikk were landed this week, a Monsta FTP downloadFile Remote Code Execution module along with a WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE. In addition to some awesome module content, community contributor bcoles added Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

New module content (5)

Twonky Server Log Leak Authentication Bypass

Author: remmons-r7

Type: Auxiliary

Pull request: #20709 contributed by remmons-r7 

Path: gather/twonky_authbypass_logleak 

AttackerKB reference: CVE-2025-13316

Description: This module exploits two CVEs: CVE-2025-13315 and CVE-2025-13316. Both CVEs exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). Then, because the module uses hardcoded keys, it decrypts those credentials.

Monsta FTP downloadFile Remote Code Execution

Authors: Valentin Lobstein chocapikk@leakix.net, msutovsky-r7, and watchTowr Labs

Type: Exploit

Pull request: #20718 contributed by Chocapikk 

Path: multi/http/monsta_ftp_downloadfile_rce 

AttackerKB reference: CVE-2025-34299

Description: This add module for CVE-2025-34299. The module exploits a vulnerability in the downloadFile action which allows an attacker to connect to a malicious FTP server and download arbitrary files to arbitrary locations on the Monsta FTP server.

WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE

Authors: Emiliano Versini, Khaled Alenazi (Nxploited), Valentin Lobstein chocapikk@leakix.net, and dledda-r7

Type: Exploit

Pull request: #20720 contributed by Chocapikk 

Path: multi/http/wp_ai_engine_mcp_rce 

AttackerKB reference: CVE-2025-11749

Description: This adds a new exploit module for an unauthenticated vulnerability in the WordPress AI Engine plugin, which has over 100,000 active installations. The vulnerability allows an attacker to create an administrator account via the MCP (Model Context Protocol) endpoint without authentication, then upload and execute a malicious plugin to achieve remote code execution. The vulnerability is being tracked as CVE-2025-11749.

Linux Command Shell, Reverse TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20712 contributed by bcoles 

Path: linux/riscv32le/shell_reverse_tcp

Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

Linux Command Shell, Reverse TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20712 contributed by bcoles 

Path: linux/riscv64le/shell_reverse_tcp

Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

Enhancements and features (3)

• #20658 from jheysel-r7 - This adds a number of accuracy enhancements to the ldap_esc_vulnerable_cert_finder module. It also adds a CertificateAuthorityRhost datastore option to the esc_update_ldap_object module so the operator can specify an IP Address explicitly in cases where the hostname cannot be resolved via DNS.
• #20677 from zeroSteiner - This enables sessions to MSSQL servers that require encryption. These changes add a new MsTds::Channel which leverages Rex's socket abstraction to facilitate the necessary encapsulation for the TLS negotiation.
• #20741 from SaiSakthidar - This removes CAIN as an output format for collected hashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.100...6.4.101
• Full diff 6.4.100...6.4.101

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

This week, we have added 10 new modules to Metasploit Framework including an SMB to MSSQL relay module, a remote code execution module targeting Fortinet software, additional 32-bit and 64-bit RISC-V payloads, and more.

The SMB to MSSQL NTLM relay module allows users to open MSSQL sessions and run arbitrary queries against a target upon success. This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server. This allows for more attack paths, credential gathering, as well as unlocking additional lateral movement and data exfiltration capabilities.

New module content (10)

Microsoft Windows SMB to MSSQL Relay

Author: Spencer McIntyre Type: Auxiliary Pull request: #20637 contributed by zeroSteiner Path: server/relay/smb_to_mssql

Description: Adds a new NTLM relay module for relaying from SMB to MSSQL servers. On success, an MSSQL session will be opened to allow the user to run arbitrary queries and some modules.

Fortinet FortiWeb unauthenticated RCE

Authors: Defused and sfewer-r7 Type: Exploit Pull request: #20717 contributed by sfewer-r7 Path: linux/http/fortinet_fortiweb_rce AttackerKB reference: CVE-2025-58034

Description: Adds a new module chaining FortiWeb vulnerabilities CVE-20205-64446 and CVE-2025-58034 to gain unauthenticated code execution on a FortiWeb server.

IGEL OS Privilege Escalation (via systemd service)

Author: Zack Didcott Type: Exploit Pull request: #20702 contributed by Zedeldi Path: linux/local/igel_network_priv_esc

Description: Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.

IGEL OS Persistent Payload

Author: Zack Didcott Type: Exploit Pull request: #20702 contributed by Zedeldi Path: linux/persistence/igel_persistence

Description: Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.

Flowise Custom MCP Remote Code Execution

Authors: Assaf Levkovich and Valentin Lobstein chocapikk@leakix.net Type: Exploit Pull request: #20705 contributed by Chocapikk Path: multi/http/flowise_custommcp_rce AttackerKB reference: CVE-2025-8943

Description: This adds two modules for two vulnerabilities in Flowise (CVE-2025-59528, CVE-2025-8943). The modules add an option to use Flowise credentials for authentication when the application requires it, enabling exploitation of vulnerabilities.

Flowise JS Injection RCE

Authors: Kim SooHyun (im-soohyun), Valentin Lobstein chocapikk@leakix.net, and nltt0 Type: Exploit Pull request: #20705 contributed by Chocapikk Path: multi/http/flowise_js_rce AttackerKB reference: CVE-2025-59528

Description: This adds two modules for two vulnerabilities in Flowise (CVE-2025-59528, CVE-2025-8943). The modules add an option to use Flowise credentials for authentication when the application requires it, enabling exploitation of vulnerabilities.

Notepad++ Plugin Persistence

Author: msutovsky-r7 Type: Exploit Pull request: #20685 contributed by msutovsky-r7 Path: windows/persistence/notepadpp_plugin_persistence

Description: Adds a persistence module for Notepad++ by adding a malicious plugin to Notepad++, as it blindly loads and executes DLLs from its plugin directory on startup.

Linux Chmod 32-bit

Author: bcoles bcoles@gmail.com Type: Payload (Single) Pull request: #20703 contributed by bcoles Path: linux/riscv32le/chmod

Description: Adds Linux RISC-V 32-bit / 64-bit Little Endian chmod payloads.

Linux Chmod 64-bit

Author: bcoles bcoles@gmail.com Type: Payload (Single) Pull request: #20703 contributed by bcoles Path: linux/riscv64le/chmod

Description: Adds Linux RISC-V 32-bit / 64-bit Little Endian chmod payloads.

IGEL OS Dump File

Author: Zack Didcott Type: Post Pull request: #20702 contributed by Zedeldi Path: linux/gather/igel_dump_file

Description: Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.

Bugs fixed (3)

• #20482 from rodolphopivetta - This fixes a bug in HTTP-based login scanners, when SSL is enabled and a non-default HTTPS port is used.
• #20693 from dledda-r7 - This fixes race condition in preloading extension klasses during bootstrap.
• #20721 from cpomfret-r7 - Fixes a crash when running a Nexpose scan that had a Nexpose Scan Assistant credential present.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.99...6.4.100
• Full diff 6.4.99...6.4.100

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

CVE-2025-64446 - Fortinet’s FortiWeb exploitation

A critical vulnerability in Fortinet’s FortiWeb Web Application Firewall, now assigned CVE-2025-64446 (CVSS 9.1), allows unauthenticated attackers to gain full administrator access to the FortiWeb Manager interface and its websocket CLI. The flaw became publicly known on October 6, 2025, after Defused shared a proof-of-concept exploit captured by their honeypots. Metasploit now has support for an auxiliary module admin/http/fortinet_fortiweb_create_admin which can be used to create a new administrative user, and an upcoming exploit module targeting Fortinet FortiWeb that exploits CVE-2025-64446 and CVE-2025-58034 for an authenticated command injection that allows for root OS command execution. For more details see Rapid7’s analysis on CVE-2025-64446

New module content (3)

Fortinet FortiWeb create new local admin

Authors: Defused and sfewer-r7

Type: Auxiliary Pull request: #20698 contributed by sfewer-r7

Path: admin/http/fortinet_fortiweb_create_admin

AttackerKB reference: CVE-2025-64446

Description: Adds a module for the recent FortiWeb 8.0.1 authentication bypass vulnerability allowing an attacker to create a new administrative user. The exploit is based on the PoC published by Defused.

Windows Persistent Service Installer

Authors: Green-m greenm.xxoo@gmail.com and h00die

Type: Exploit Pull request: #20638 contributed by h00die

Path: windows/persistence/service

Description: Updates the Windows service persistence to use the new mixin, adds the ability to run as either Powershell or sc.exe, and uses more libraries.

Windows WSL via Registry Persistence

Authors: Joe Helle and h00die

Type: Exploit

Pull request: #20701 contributed by h00die

Path: windows/persistence/wsl/registry

Description: Adds a new Windows persistence module - the WSL registry module. The module will create registry entries (Run, RunOnce) to run a Linux payload stored in WSL.

Enhancements and features (5)

• #20560 from cdelafuente-r7 - Adds references to MITRE ATT&CK technique T1021 "Remote Services" and its sub-techniques.
• #20638 from h00die - Updates the windows service persistence to use the new mixin, adds the ability to run as either Powershell or sc.exe, and uses more libraries.
• #20689 from zeroSteiner - Add tests for socket channels in Meterpreter and SSH sessions.
• #20699 from sfewer-r7 - Adds the CVE number and further guidance on vulnerable versions for the vulnerability.
• #20707 from bcoles - Updates multiple Linux reboot payloads to note that CAP_SYS_BOOT privileges are required.

Bugs fixed (2)

• #20687 from dwelch-r7 - This updates the auxiliary/scanner/winrm/winrm_login module to catch access denied errors when trying to create a shell session. This is then used to inform the operator that the target account's password is correct but they do not have permissions to start a shell with WinRM.
• #20695 from zeroSteiner - Updates the Java and PHP Meterpreter to send the local address and local port information back to Metasploit when opening TCP or UDP sockets on the remote host.
• #20708 from cdelafuente-r7 - Fixes a bug with msfdb when attempting to execute the program with bundle exec.
• #20711 from bcoles - Fixes description for AppendExit datastore option.

Documentation added (1)

• #20694 from cgranleese-r7 - Adds new documentation on Metasploit's post module support. Additionally adds documentation for the new create_process API that supersedes the legacy cmd_exec API.

You can always find more documentation on our docsite at docs.metasploit.com.

Missing rn-* label on Github (4)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.98...6.4.99
• Full diff 6.4.98...6.4.99

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

It has “SUS” in the name, what did you expect?

This week’s release features the much-hyped CVE-2025-59287, a Critical-Severity Windows Server Update Service (WSUS) vulnerability that allows for SYSTEM level remote code execution. Documented among the multiple recent zero-days in Windows, the vulnerability affects Windows Servers running the WSUS service, which is not enabled by default. Several vendors, including Huntress and Eye Security have reported seeing the exploit used in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) ordered US government agencies to patch affected machines last month.

New module content (1)

Windows Server Update Service Deserialization Remote Code Execution

Authors: msutovsky-r7 and mwulftange

Type: Exploit

Pull request: #20674 contributed by msutovsky-r7 

Path: windows/http/wsus_deserialization_rce 

AttackerKB reference: CVE-2025-59287

Description: Adds a module targeting CVE-2025-59287, an unauthenticated deserialization vulnerability in the Windows Server Update Service (WSUS) resulting in remote code execution as SYSTEM

Enhancements and features (3)

• #20576 from msutovsky-r7 - This updates the LINQPad persistence module to use the new persistence mixin.
• #20669 from stfnw - This updates the auxiliary/scanner/http/azure_ad_login module to print the domain and username in error messages. This enables users to understand what user caused the error.
• #20690 from dbono-r7 - This adds the cert pipe to the list of known pipes that will be checked by the auxiliary/scanner/smb/pipe_auditor module. This effectively enables users to identify when the MS-ICPR interface is available because Active Directory Certificate Services (AD CS) is in use.

Documentation (1)

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

• #20625 from h00die - Improved multiple modules’ documentation to have consistent formatting.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.97...6.4.98
• Full diff 6.4.97...6.4.98

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

New module content (3)

Centreon authenticated command injection leading to RCE via broker engine "reload" parameter

Author: h00die-gr3y h00die.gr3y@gmail.com

Type: Exploit

Pull request: #20672 contributed by h00die-gr3y

Path: linux/http/centreon_auth_rce_cve_2025_5946

AttackerKB reference: CVE-2025-5946

Description: Adds an exploit module for Centreon. The vulnerability, an authenticated command injection, will lead to a remote code execution.

Rootkit Privilege Escalation Signal Hunter

Author: bcoles bcoles@gmail.com

Type: Exploit

Pull request: #20643 contributed by bcoles

Path: linux/local/rootkit_privesc_signal_hunter

Description: Expands diamorphine privilege escalation module to other rootkits that use signal handling for privilege escalation.

Windows Persistent Task Scheduler

Author: h00die

Type: Exploit

Pull request: #20660 contributed by h00die

Path: windows/persistence/task_scheduler

Description: This adds a new persistence module for Windows - the task scheduler module. The module will create scheduled tasks depending on the ScheduleType option.

Enhancements and features (2)

• #20523 from h00die - This updates the upstart persistence to use the new persistence mixin.
• #20643 from bcoles - Expands diamorphine privilege escalation module to other rootkits, which use signal handling for privilege escalation.

Bugs fixed (1)

• #20673 from adfoster-r7 - Temporarily pins date dependency to 3.4.1 due to possible issues associated with 3.5.0 to allow for further testing.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.96...6.4.97
• Full diff 6.4.96...6.4.97

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20138 contributed by h4x-x0r
Path: admin/networking/thinmanager_traversal_upload
AttackerKB reference: CVE-2023-2917

Description: Adds an auxiliary module that targets CVE-2023-27855, a path traversal vulnerability in ThinManager <= v13.0.1 to upload an arbitrary file to the target system as SYSTEM.

ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20141 contributed by h4x-x0r
Path: admin/networking/thinmanager_traversal_upload2
AttackerKB reference: CVE-2023-2917

Description: Adds a module targeting CVE-2023-2917, a path traversal vulnerability in ThinManager <= v13.1.0, to upload an arbitrary file as system.

ThinManager Path Traversal (CVE-2023-27856) Arbitrary File Download

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20139 contributed by h4x-x0r
Path: gather/thinmanager_traversal_download
AttackerKB reference: CVE-2023-27856

Description: Adds an auxiliary module targeting CVE-2023-27856, a path traversal vulnerability in ThinManager <= v13.0.1, to download an arbitrary file from the target system.

udev persistence

Author: Julien Voisin
Type: Exploit
Pull request: #19472 contributed by jvoisin
Path: linux/local/udev_persistence

Description: This adds a module for udev persistence for Linux targets. The module requires root access because it creates udev rules. It will create a rule under the directory /lib/udev/rules./ and a malicious binary containing the payload. Successful exploitation requires the presence of the at binary on the system.

Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution

Authors: CERT-EU, Piotr Bazydlo, Sonny Macdonald, and remmons-r7
Type: Exploit
Pull request: #20265 contributed by remmons-r7
Path: multi/http/ivanti_epmm_rce_cve_2025_4427_4428
AttackerKB reference: CVE-2025-4428

Description: Adds a module chaining CVE-2025-4427 and CVE-2025-4428 an authentication flaw allowing unauthenticated access to an administrator web API endpoint allowing for code execution via expression language injection on many versions of MobileIron Core (rebranded as Ivanti EPMM).

PHP Exec, PHP Command Shell, Bind TCP (via Perl)

Authors: Samy samy@samy.pl, Spencer McIntyre, cazz bmc@shmoo.com, and msutovsky-r7
Type: Payload (Adapter)
Pull request: #19976 contributed by msutovsky-r7

Description: This enables creation of PHP payloads wrapped around bash / sh commands.

This adapter adds the following payloads:

• cmd/unix/php/bind_perl
• cmd/unix/php/bind_perl_ipv6
• cmd/unix/php/bind_php
• cmd/unix/php/bind_php_ipv6
• cmd/unix/php/download_exec
• cmd/unix/php/exec
• cmd/unix/php/meterpreter/bind_tcp
• cmd/unix/php/meterpreter/bind_tcp_ipv6
• cmd/unix/php/meterpreter/bind_tcp_ipv6_uuid
• cmd/unix/php/meterpreter/bind_tcp_uuid
• cmd/unix/php/meterpreter/reverse_tcp
• cmd/unix/php/meterpreter/reverse_tcp_uuid
• cmd/unix/php/meterpreter_reverse_tcp
• cmd/unix/php/reverse_perl
• cmd/unix/php/reverse_php
• cmd/unix/php/shell_findsock

Enhancements and features (3)

• #19900 from jvoisin - Updates multiple modules notes to now includes additional AKA (Also Known As) references for EquationGroup codenames.
• #20263 from cdelafuente-r7 - Updates Metasploit to register VulnAttempts for both Exploit and Auxiliary modules.
• #20277 from adfoster-r7 - Add support for Ruby 3.2.8.

Bugs fixed (7)

• #20218 from jheysel-r7 - Fixes an issue in the web crawler's canonicalize method, which previously resulted in incorrect URIs being returned.
• #20246 from bcoles - Fixes an issue within msfvenom when using zutto_dekiru encoder on a raw payload.
• #20258 from zeroSteiner - Updates the datastore options in auxiliary/admin/ldap/shadow_credentials to reference the new LDAP datastore names.
• #20260 from zeroSteiner - Updates the auxiliary/admin/ldap/change_password module to use the new LDAP datastore options.
• #20273 from JohannesLks - This fixes multiple issues in the post/windows/manage/remove_host module that would occur when a line had multiple names on it or used tab characters instead of spaces.
• #20275 from msutovsky-r7 - This fixes a bug in the auxiliary/scanner/sap/sap_router_info_request module what would cause it to crash when a corrupted packet was received.
• #20281 from JohannesLks - This fixes an issue in the post/windows/manage/resolve_host module that would occur if the system wasn't installed to C:\.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.66...6.4.68
• Full diff 6.4.66...6.4.68

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

The internet is a series of Tube [SOCKS]

Metasploit has supported SOCKS proxies for years now, being able to both act as both a client (by setting the Proxies datastore option) and a server (by running the auxiliary/server/socks_proxy module). While Metasploit has supported both SOCKS versions 4a and 5, there became some ambiguity in regards to how Domain Name System (DNS) requests are made by Metasploit through these versions. Both versions 4a and 5 notably enable clients to make connections to hosts identified by hostnames leading to the DNS resolution to take place on the SOCKS server. Whether or not the SOCKS client chooses to resolve the hostname to an address itself or to use the server is an implementation detail that is inconsistent among many pieces of software.

In the case of Metasploit, the framework opted to handle the DNS resolution itself. This was to ensure consistent behavior of running a module with and without a proxy when the target hostname resolved to multiple IP addresses. Many years ago, when Metasploit shifted focus to assessing targets in bulk, we decided that if a hostname was specified as a target by a user that mapped to multiple IP addresses, the module should be run for each IP address. This behavior is mostly intended for modules targeting web servers and can be seen by running the auxiliary/scanner/http/http_version module with a target behind a CDN such as cloudfront (it’s pretty easy to guess a suitable example here).

This did however introduce a problem for users that intended to use Metasploit as a SOCKS proxy client by setting the Proxies datastore option because Metasploit was performing the DNS resolution instead of passing the hostname to the proxy server as the user might expect. To explicitly facilitate what is probably the expected behavior of using the proxy server for name resolution, Metasploit added the unofficial SOCKS5H scheme used by cURL and other clients. The convention here being that if SOCKS5H is used, that the proxy server should be used for name resolution. Now in this case, Metasploit users can leverage the resolution capabilities of the SOCKS5 server, however that may be implemented, to initiate their connection.

To use this new capability, simply specify the server in the Proxies option as socks5h://192.0.2.0:1080 where 192.0.2.0 is the target SOCKS5 server.

At this time, Metasploit does not currently have client support for the older SOCKS4a version. If this is something that would interest you, please let us know in our ticket.

New module content (2)

WordPress Depicter Plugin SQL Injection (CVE-2025-2011)

Authors: Muhamad Visat and Valentin Lobstein
Type: Auxiliary
Pull request: #20185 contributed by Chocapikk
Path: gather/wp_depicter_sqli_cve_2025_2011
AttackerKB reference: CVE-2025-2011

Description: This adds a module for exploiting CVE-2025-2011 which is an unauthenticated SQL injection vulnerability in the "Slider & Popup Builder" plugin versions <= 3.6.1.

Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization

Authors: H00die Gr3y and Huntress Team
Type: Exploit
Pull request: #20096 contributed by h00die-gr3y
Path: windows/http/gladinet_viewstate_deserialization_cve_2025_30406
AttackerKB reference: CVE-2025-30406

Description: This adds an exploit module for Gladinet CentreStack/Triofox, the vulnerability, an unsafe deserialization allows execution of arbitrary commands.

Enhancements and features (2)

• #20147 from zeroSteiner - This adds support for the SOCKS5H protocol, allowing DNS resolution through a SOCKS5 proxy.
• #20180 from smashery - This adds a warning to PowerShell use when an impersonation token is active.

Bugs fixed (3)

• #20257 from cgranleese-r7 - Fixes an issue where the report_note deprecation message calling method incorrectly.
• #20261 from bwatters-r7 - This updates the vmware_vcenter_vmdir_auth_bypass module and accompanying documentation to refer to the new datastore option name.

Documentation added (1)

• #20255 from arpitjain099 - This fixes multiple typos in various pages of documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.65...6.4.66
• Full diff 6.4.65...6.4.66

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Making Metasploit faster

This week's wrap-up includes many new modules, but notably, we've upgraded Metasploit loading. Thanks to bcoles, the bootup performance when searching for a module has been increased in #20166. Also, we've reduced Metasploit startup time - in #20155.

New module content (6)

Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)

Authors: Alberto Solino and smashery
Type: Auxiliary
Pull request: #20175 contributed by smashery
Path: gather/kerberoast

Description: This adds a native Metasploit module for performing Kerberoast attacks. With the native module, users will no longer need to have Python or additional Python libraries in order to leverage the attack technique.

Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow

Authors: Christophe De La Fuente and Stephen Fewer
Type: Exploit
Pull request: #20112 contributed by cdelafuente-r7
Path: linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457
AttackerKB reference: CVE-2025-22457

Description: Adds an exploit module targeting CVE-2025-22457, a Stack-based Buffer Overflow vulnerability in Ivanti Connect Secure 22.7R2.5 and earlier.

Clinic's Patient Management System 1.0 - Unauthenticated RCE

Authors: Ashish Kumar and msutovsky-r7
Type: Exploit
Pull request: #20177 contributed by msutovsky-r7
Path: multi/http/clinic_pms_sqli_to_rce
AttackerKB reference: CVE-2025-3096

Description: Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.

Invision Community 5.0.6 customCss RCE

Authors: Egidio Romano (EgiX) and Valentin Lobstein
Type: Exploit
Pull request: #20214 contributed by Chocapikk
Path: multi/http/invision_customcss_rce
AttackerKB reference: CVE-2025-47916

Description: This adds a new exploit module for Invision Community versions up to and including 5.0.6, which is vulnerable to a remote-code injection in the theme editor’s customCss endpoint CVE-2025-47916. The module leverages the malformed {expression="…"} construct to evaluate arbitrary PHP expressions and supports both in-memory PHP payloads and direct system command execution.

Nextcloud Workflows Remote Code Execution

Authors: Armend Gashi, Enis Maholli, arianitisufi, and whotwagner
Type: Exploit
Pull request: #20020 contributed by whotwagner
Path: unix/webapp/nextcloud_workflows_rce
AttackerKB reference: CVE-2023-26482

Description: This adds a module for Nextcloud Workflow (CVE-2023-26482). Exploitation requires a set of valid credentials. The Nextcloud needs to have Workflow external script installed and enabled.

Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)

Authors: Michael Heinzl and SSD Secure Disclosure
Type: Exploit
Pull request: #20188 contributed by h4x-x0r
Path: windows/http/magicinfo_traversal
AttackerKB reference: CVE-2024-7399

Description: This adds a module for CVE-2024-7399 - arbitrary file write as system authority. The module drops a shell by exploiting this vulnerability, allowing remote code execution. The application communicates on TCP port 7001 for HTTP and TCP port 7002 for HTTPS.

Enhancements and features (3)

• #20155 from bcoles - This improves Metasploit reducing startup time.
• #20175 from smashery - This adds a native Metasploit module for performing Kerberoast attacks. With the native module, users will no longer need to have Python or additional Python libraries in order to leverage the attack technique.
• #20176 from smashery - This updates the ASREP roasting module (auxiliary/gather/asrep) to store the hashes in the database.

Bugs fixed (4)

• #20166 from bcoles - Improves the bootup performance of msfconsole when searching for module platform classes.
• #20179 from adfoster-r7 - This bumps the version of Metasploit Payloads to include a fix for the Java Meterpreter's symlink handling on Windows.
• #20194 from adfoster-r7 - Fixes a bug in the thinkphp RCE module that opted it out of auto-exploitation in Metasploit Pro.
• #20207 from zeroSteiner - This adds a quick fix for the new auxiliary/gather/kerberoast module to ensure that the KrbCacheMode datastore option is used. This enables the user to instruct whether or not they want the module to use cached credentials or not.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.64...6.4.65
• Full diff 6.4.64...6.4.65

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

New modules for everyone

This week’s release is packed with new module content. We have RCE modules for Car Rental System 1.0, Wordpress plugins SureTriggers, User Registration and Membership. We also have a persistence module for LINQPad software and an auxiliary module for POWERCOM UPSMON PRO. We have also added support for 32-bit architectures to our execute-assembly post module, which now supports injection of both 64-bit and 32-bit .NET assembly binaries.

New module content (5)

POWERCOM UPSMON PRO Path Traversal (CVE-2022-38120) and Credential Harvester (CVE-2022-38121)

Author: Michael Heinzl
Type: Auxiliary
Pull request: #20123 contributed by h4x-x0r
Path: gather/upsmon_traversal
AttackerKB reference: CVE-2022-38121

Description: This adds an auxiliary module for two vulnerabilities in POWERCOM UPSMON PRO: path traversal and credential harvesting. The first vulnerability allows users to traverse the path in URI and read arbitrary files with respect to privileges of a given user account. The second vulnerability allows access to sensitive credentials for UPSMON as they are stored in plaintext in a readable file.

Car Rental System 1.0 File Upload RCE (Authenticated)

Author: Aaryan Golatkar
Type: Exploit
Pull request: #20026 contributed by aaryan-11-x
Path: multi/http/carrental_fileupload_rce
AttackerKB reference: CVE-2024-57487

Description: This adds a module for a file upload vulnerability in Car Rental System 1.0. It requires administrator credentials to exploit.

WordPress SureTriggers Auth Bypass and RCE

Authors: Khaled Alenazi (Nxploited), Michael Mazzolini (mikemyers), and Valentin Lobstein
Type: Exploit
Pull request: #20146 contributed by Chocapikk
Path: multi/http/wp_suretriggers_auth_bypass
AttackerKB reference: CVE-2025-3102

Description: Adds a new exploit module for the WordPress SureTriggers plugin (≤ 1.0.78) that abuses CVE-2025-3102, an unauthenticated REST endpoint to create an administrative user and achieve remote code execution.

WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)

Authors: Valentin Lobstein and wesley (wcraft)
Type: Exploit
Pull request: #20159 contributed by Chocapikk
Path: multi/http/wp_user_registration_membership_escalation
AttackerKB reference: CVE-2025-2563

Description: This adds a module for a privilege escalation vulnerability in the User Registration and Membership plugin for Wordpress. It allows creating new users with administrator privileges.

LINQPad Deserialization Exploit

Authors: James Williams and msutovsky-r7 martin_sutovsky@rapid7.com
Type: Exploit
Pull request: #19777 contributed by msutovsky-r7
Path: windows/local/linqpad_deserialization_persistence
AttackerKB reference: CVE-2024-53326

Description: Adds a module to install persistence relying on CVE-2024-53326, a .NET deserialization vulnerability in the startup of Linqpad versions prior to 5.52.

Enhancements and features (3)

• #20098 from smashery - Adds support for 32-bit execute-assembly, allowing injection of 64-bit or 32-bit .NET assembly.
• #20126 from bcoles - This adds a Linux post-exploitation method to check Yama's ptrace_scope setting. It removes a round trip required to obtain the scope value making modules that require knowing it to run slightly faster.
• #20173 from adfoster-r7 - Updates the web crawling modules to support HTTP logging.

Bugs fixed (8)

• #20010 from lafried - This fixes missing Powershell signature, when SSH is trying to identify the platform.
• #20111 from cdelafuente-r7 - Fixes an issue that prevented failed exploit attempts to be registered in the database correctly.
• #20118 from zeroSteiner - This fixes the target option for smb_to_ldap module. The option RELAY_TARGETS is now outdated, RHOSTS should be used instead.
• #20120 from bcoles - This fixes typos across many Windows post-exploit modules and adds missing metadata.
• #20128 from bcoles - This fixes an IP address assignment in the auxiliary/bnat/bnat_router module.
• #20142 from L-codes - Fixes a crash when running unknown commands in msfconsole when using specific versions of Ruby and bundler.
• #20156 from bcoles - This fix typos and rubocop violations inside the post modules.
• #20181 from bwatters-r7 - This fixes an issue in Metasploit's Wordpress login functionality that would cause it to fail for certain target configurations.

Documentation added (1)

• #20151 from adfoster-r7 - Updates the Wiki to include the latest available download links.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.62...6.4.64
• Full diff 6.4.62...6.4.64

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro