Rapid 7 - Metasploit Weekly Wrap-Up 04/11/2025

Spring Exploits

Metasploit Weekly Wrap-Up 04/11/2025

This weekly release of Metasploit Framework includes new RCE exploit modules for several vulnerable applications: Appsmith, a low-code application platform which contains a misconfiguration on PostgreSQL (CVE-2024-55964); Pandora FMS, a monitoring solution, where, once gained access to the administrator panel is possible to inject commands (CVE-2024-12971); Oracle Access Manager, a SSO application containing an unauthenticated deserialization vulnerability (CVE-2021-35587); and pgAdmin Query Tool, a powerful database management tool that let attacker convert database accesses into shells (CVE-2025-2945).

New module content (5)

CrushFTP AWS4-HMAC Authentication Bypass

Authors: Outpost24 and remmons-r7
Type: Auxiliary
Pull request: #20000 contributed by remmons-r7
Path: gather/crushftp_authbypass_cve_2025_2825
AttackerKB reference: CVE-2025-2825

Description: Adds an auxiliary module leveraging CVE-2025-2825, an authentication bypass in CrushFTP 11 < 11.3.1 and 10 < 10.8.4, to obtain working session cookies for the target user account.

Appsmith RCE

Authors: Takahiro Yokoyama and Whit Taylor (Rhino Security Labs)
Type: Exploit
Pull request: #20007 contributed by Takahiro-Yoko
Path: linux/http/appsmith_rce_cve_2024_55964
AttackerKB reference: CVE-2024-55964

Description: This module adds an exploit for CVE-2024-55964, a misconfigured PostgreSQL instance in Appsmith, which can lead to remote code execution (RCE).

Pandora FMS authenticated command injection leading to RCE via chromium_path or phantomjs_bin

Author: h00die-gr3y(https://github.com/h00die-gr3y)
Type: Exploit
Pull request: #20008 contributed by h00die-gr3y
Path: linux/http/pandora_fms_auth_rce_cve_2024_12971
AttackerKB reference: CVE-2024-12971

Description: Module for CVE-2024-12971, command injection in directory settings for PandoraFMS. The module requires admin credentials, but if MySQL with default credentials is exposed, the module creates a new admin profile.

Oracle Access Manager unauthenticated Remote Code Execution

Authors: Jang, Peterjson, Y4er, and sfewer-r7
Type: Exploit
Pull request: #19994 contributed by sfewer-r7
Path: multi/http/oracle_access_manager_rce_cve_2021_35587
AttackerKB reference: CVE-2021-35587

Description: This adds an exploit module for CVE-2021-35587, an unauthenticated deserialization vulnerability affecting Oracle Access Manager (OAM).

pgAdmin Query Tool authenticated RCE (CVE-2025-2945)

Authors: jheysel-r7 and pyozzi-toss
Type: Exploit
Pull request: #20018 contributed by jheysel-r7
Path: multi/http/pgadmin_query_tool_authenticated
AttackerKB reference: CVE-2025-2945

Description: A new module for CVE-2025-2945, authenticated remote code execution in pgAdmin. The vulnerability lies within the Query Tool. For successful exploitation, an attacker needs a set of valid credentials for pgAdmin and credentials for the target database.

Enhancements and features (5)

  • #20003 from zeroSteiner - Adds support for the LDAP protocol within RHOSTS, for example: use auxiliary/gather/ldap_query and run ldap://domain.local;Administrator:p4$$w0rd@192.168.123.13/dc=domain,dc=local action=ENUM_ACCOUNTS.
  • #20006 from cgranleese-r7 - Adds additional metadata to the phpbb_highlight and ms10_061_spoolss modules.
  • #20015 from adfoster-r7 - Metasploit will now no longer attempt to load external modules with unsupported runtimes as it caused crashes to occur. Now users are notified if they are required to install Go or Python3.
  • #20019 from adfoster-r7 - Improves metadata and enhances the APIs for extracting HTTP compatible login scanners.
  • #20024 from cgranleese-r7 - Adds a new sslkeylogfile datastore option to HTTP modules to support decrypting SSL/TLS network traffic.

Bugs fixed (1)

  • #20013 from sjanusz-r7 - Fixes a crash when using the module search cache with an integer.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro



from Rapid7 Cybersecurity Blog https://blog.rapid7.com/2025/04/11/metasploit-weekly-wrap-up-04-11-2025/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The d...
Read more

Krebs - U.S. Army Soldier Arrested in AT&T, Verizon Extortions

Image
Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m , a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon . As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea. One of several selfies on the Facebook page of Cameron Wagenius. Cameron John Wagenius , 20, was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records. The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native Alicia Roen — filled in the gaps. Roen said that prior to her son’s arrest he’d acknowledged being associated with Connor Riley Moucka ...
Read more