All posts by Diego Ledda

Metasploit Weekly Wrap-Up 04/11/2025

Post Syndicated from Diego Ledda original https://blog.rapid7.com/2025/04/11/metasploit-weekly-wrap-up-04-11-2025/

Spring Exploits

Metasploit Weekly Wrap-Up 04/11/2025

This weekly release of Metasploit Framework includes new RCE exploit modules for several vulnerable applications: Appsmith, a low-code application platform which contains a misconfiguration on PostgreSQL (CVE-2024-55964); Pandora FMS, a monitoring solution, where, once gained access to the administrator panel is possible to inject commands (CVE-2024-12971); Oracle Access Manager, a SSO application containing an unauthenticated deserialization vulnerability (CVE-2021-35587); and pgAdmin Query Tool, a powerful database management tool that let attacker convert database accesses into shells (CVE-2025-2945).

New module content (5)

CrushFTP AWS4-HMAC Authentication Bypass

Authors: Outpost24 and remmons-r7
Type: Auxiliary
Pull request: #20000 contributed by remmons-r7
Path: gather/crushftp_authbypass_cve_2025_2825
AttackerKB reference: CVE-2025-2825

Description: Adds an auxiliary module leveraging CVE-2025-2825, an authentication bypass in CrushFTP 11 < 11.3.1 and 10 < 10.8.4, to obtain working session cookies for the target user account.

Appsmith RCE

Authors: Takahiro Yokoyama and Whit Taylor (Rhino Security Labs)
Type: Exploit
Pull request: #20007 contributed by Takahiro-Yoko
Path: linux/http/appsmith_rce_cve_2024_55964
AttackerKB reference: CVE-2024-55964

Description: This module adds an exploit for CVE-2024-55964, a misconfigured PostgreSQL instance in Appsmith, which can lead to remote code execution (RCE).

Pandora FMS authenticated command injection leading to RCE via chromium_path or phantomjs_bin

Author: h00die-gr3y(https://github.com/h00die-gr3y)
Type: Exploit
Pull request: #20008 contributed by h00die-gr3y
Path: linux/http/pandora_fms_auth_rce_cve_2024_12971
AttackerKB reference: CVE-2024-12971

Description: Module for CVE-2024-12971, command injection in directory settings for PandoraFMS. The module requires admin credentials, but if MySQL with default credentials is exposed, the module creates a new admin profile.

Oracle Access Manager unauthenticated Remote Code Execution

Authors: Jang, Peterjson, Y4er, and sfewer-r7
Type: Exploit
Pull request: #19994 contributed by sfewer-r7
Path: multi/http/oracle_access_manager_rce_cve_2021_35587
AttackerKB reference: CVE-2021-35587

Description: This adds an exploit module for CVE-2021-35587, an unauthenticated deserialization vulnerability affecting Oracle Access Manager (OAM).

pgAdmin Query Tool authenticated RCE (CVE-2025-2945)

Authors: jheysel-r7 and pyozzi-toss
Type: Exploit
Pull request: #20018 contributed by jheysel-r7
Path: multi/http/pgadmin_query_tool_authenticated
AttackerKB reference: CVE-2025-2945

Description: A new module for CVE-2025-2945, authenticated remote code execution in pgAdmin. The vulnerability lies within the Query Tool. For successful exploitation, an attacker needs a set of valid credentials for pgAdmin and credentials for the target database.

Enhancements and features (5)

  • #20003 from zeroSteiner – Adds support for the LDAP protocol within RHOSTS, for example: use auxiliary/gather/ldap_query and run ldap://domain.local;Administrator:[email protected]/dc=domain,dc=local action=ENUM_ACCOUNTS.
  • #20006 from cgranleese-r7 – Adds additional metadata to the phpbb_highlight and ms10_061_spoolss modules.
  • #20015 from adfoster-r7 – Metasploit will now no longer attempt to load external modules with unsupported runtimes as it caused crashes to occur. Now users are notified if they are required to install Go or Python3.
  • #20019 from adfoster-r7 – Improves metadata and enhances the APIs for extracting HTTP compatible login scanners.
  • #20024 from cgranleese-r7 – Adds a new sslkeylogfile datastore option to HTTP modules to support decrypting SSL/TLS network traffic.

Bugs fixed (1)

  • #20013 from sjanusz-r7 – Fixes a crash when using the module search cache with an integer.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Metasploit Weekly Wrap-Up 02/21/2025

Post Syndicated from Diego Ledda original https://blog.rapid7.com/2025/02/21/metasploit-weekly-wrap-up-46/

BeyondTrust and Fetch Payload

Metasploit Weekly Wrap-Up 02/21/2025

This Metasploit release includes an exploit module that chains two vulnerabilities, one exploited in the wild by APT groups and another one, a 0-day discovered by Rapid7 during the vulnerability analysis.
In addition to that, a significant improvement was made to Fetch-Payloads by adding support for the ppc, mips and arm architectures. This allows the payloads to be used in exploits that commonly target embedded systems.

New module content (3)

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution

Author: sfewer-r7
Type: Exploit
Pull request: #19877 contributed by sfewer-r7
Path: linux/http/beyondtrust_pra_rs_unauth_rce
AttackerKB reference: CVE-2025-1094

Description: The module exploits two bugs CVE-2024-12356 and CVE-2025-1094, an argument injection in BeyondTrust code base and SQL injection in PostgreSQL code base, respectively.

InvokeAI RCE

Authors: Takahiro Yokoyama and jackfromeast
Type: Exploit
Pull request: #19883 contributed by Takahiro-Yoko
Path: linux/http/invokeai_rce_cve_2024_12029
AttackerKB reference: CVE-2024-12029

Description: This adds an exploit module for InvokeAI unauth RCE (CVE-2024-12029).

Fetch Payload Update

Authors: Adam Cammack [email protected], Brendan Watters, and Spencer McIntyre
Type: Payload
Pull request: #19850 contributed by bwatters-r7

Description: This extends the fetch-payload support for aarch64, armbe, armle, mipsbe, mipsle, ppc, ppc64 and ppc64le payloads.

Enhancements and features (3)

  • #19884 from adfoster-r7 – Add OSVDB search functionality to msfconsole e.g. search osvdb:67241.
  • #19885 from adfoster-r7 – Improve msfconsole’s module search performance by caching search regexes.
  • #19887 from adfoster-r7 – Updates the reload_lib command to ignore Gemfiles.

Bugs fixed (3)

  • #19810 from h00die – Adds a verification to the file content checks so that we don’t crash when trying to open files that do not exist and adds proper CVE to references section now that a CVE exists.
  • #19871 from bwatters-r7 – This fix the ELF template file for Linux aarch64 payloads.
  • #19875 from dledda-r7 – Adds a fix for the odd behavior of the read syscall on Raspberrypi 4b. For some reason, on the Raspberry Pi 4B, the data read from the socket is not present immediately after the read syscall, so we added a sync syscall. This behavior is not present in Raspberry Pi 3, Raspberry Pi 5, emulators, or Microsoft’s AARCH64 Devkit.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro