Rapid 7 - Metasploit Wrap-Up 04/04/2025

New RCEs

Metasploit Wrap-Up 04/04/2025

Metasploit added four new modules this week, including three that leverage vulnerabilities to obtain remote code execution (RCE). Among these three, two leverage deserialization, showing that the exploit primitive is still going strong. The Tomcat vulnerability in particular CVE-2025-24813 garnered a lot of attention when it was disclosed; however, to function, the exploit requires specific conditions to be met, which may not be present in many environments.

AD CS / PKCS12 Improvements

With the popularity of exploiting AD CS misconfigurations over the past couple of years, Metasploit has been continuing to iterate over our support. This week saw two improvements; one added additional error handling, which notably calls out authorization errors more clearly to the user. These errors, now labeled no-access failures, are encountered when the user is successfully authenticated but lacks authorization privileges to enroll on either the certificate template or the certificate authority server. Additionally, Metasploit's support for PKCS12 certificate storage is actively being improved. This week, a milestone was reached allowing additional metadata to be stored with the certificate, which, in the future, will enable more streamlined use of stored certificate data. This new metadata includes the password to decrypt the PKCS12 data, the CA that issued the certificate and AD CS template it was derived from.

New module content (4)

pfSense Login Scanner

Author: sjanusz-r7
Type: Auxiliary
Pull request: #19985 contributed by sjanusz-r7
Path: scanner/http/pfsense_login

Description: This adds a login scanner module for pfSense which can be used to brute force valid credentials to the web GUI.

CmsMadeSimple Authenticated File Manager RCE

Authors: Mirabbas Ağalarov, Okan Kurtuluş, and tastyrice
Type: Exploit
Pull request: #19980 contributed by tastyrce
Path: multi/http/cmsms_file_manager_auth_rce
AttackerKB reference: CVE-2023-36969

Description: This adds an exploit module for CMSMadeSimple <= v2.2.21, which is vulnerable to an authenticated RCE (CVE-2023-36969).

Tomcat Partial PUT Java Deserialization

Authors: Calum Hutton, h4ck3r-04, and sw0rd1ight
Type: Exploit
Pull request: #19995 contributed by chutton-r7
Path: multi/http/tomcat_partial_put_deserialization
AttackerKB reference: CVE-2025-24813

Description: This adds an exploit module for CVE-2025-24813, which is an unauthenticated, constrained file write vulnerability in Apache Tomcat.

Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit

Authors: Dylan Pindur and machang-r7
Type: Exploit
Pull request: #19947 contributed by machang-r7
Path: windows/http/sitecore_xp_cve_2025_27218
AttackerKB reference: CVE-2025-27218

Description: This adds an exploit module for CVE-2025-27217, an unauthenticated .NET deserialization vulnerability for Sitecore.

Enhancements and features (4)

  • #19606 from cgranleese-r7 - This updates the LDAP modules to use datastore options for authentication that are prefixed with LDAP, allowing them to be used as larger workflows that merge datastore options for multiple protocols.
  • #19736 from cdelafuente-r7 - This update adds support for the new Pkcs12 data format, allowing the CA and ADCS template to be stored as metadata in the database. Additionally, Pkcs12 passwords can now be stored as metadata, with validation ensuring correct passwords are provided when adding encrypted Pkcs12 files using the creds command.
  • #19984 from zeroSteiner - This improves AD CS workflows by adding additional error handing.
  • #19991 from zeroSteiner - This adds some new tests for LoginScanners. It ensures that the LoginScanners follow a common interface for initialization, most notably that they take a single argument containing the configuration as a hash.

Bugs fixed (3)

  • #19934 from sfewer-r7 - This addresses several bugs in the exploit/linux/misc/cisco_ios_xe_rce module, which was failing for Cisco IOS XE version 17.06.05 on C8000v series appliances. Fixes include correcting the /webui URI to /webui/ (with a trailing slash) and adjusting the case sensitivity in the /webui_wsma_https URI for both CSR1000v and C8000v appliances. Additionally, the module now properly distinguishes between HTTPS and HTTP targets, ensuring compatibility with both appliance series.
  • #19993 from h00die-gr3y - This fixes an issue where payloads using cmd/base64 encoder with badchars \x20 (space) failed due to syntax errors in POSIX shells when ${IFS} followed parentheses. Removed unnecessary spaces from the payload to ensure proper execution in Unix-based environments.
  • #19998 from sjanusz-r7 - Fixes a crash when running the auxiliary/crawler/msfcrawler module.

Documentation

  • #19979 from bwatters-r7 - This adds documentation that describes when a module submission may be superseded.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro



from Rapid7 Cybersecurity Blog https://blog.rapid7.com/2025/04/04/metasploit-wrap-up-04-04-2025/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The d...
Read more

Krebs - U.S. Army Soldier Arrested in AT&T, Verizon Extortions

Image
Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m , a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon . As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea. One of several selfies on the Facebook page of Cameron Wagenius. Cameron John Wagenius , 20, was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records. The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native Alicia Roen — filled in the gaps. Roen said that prior to her son’s arrest he’d acknowledged being associated with Connor Riley Moucka ...
Read more