Metasploit Wrap-Up 05/09/2025

Last updated at Fri, 09 May 2025 20:24:20 GMT

New Toys and New Techniques

This release features a new OPNSense login scanner, a module targeting the Sante PACS path traversal vulnerability, an additional method for stealing Network Access Account credentials via SMB to HTTP relay, and the Erlang/OTP SSH exploit everyone was excited about.

New module content (4)

Sante PACS Server Path Traversal (CVE-2025-2264)

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20124 contributed by h4x-x0r
Path: gather/pacsserver_traversal
AttackerKB reference: CVE-2025-2264

Description: This adds an auxiliary module for CVE-2025-2264. The vulnerability is present in Sante PACS Server and allows an attacker to perform path traversal to read arbitrary files.

OPNSense Login Scanner

Author: sjanusz-r7
Type: Auxiliary
Pull request: #19992 contributed by sjanusz-r7
Path: scanner/http/opnsense_login

Description: This adds a login scanner module for OPNSense.

SMB to HTTP relay version of Get NAA Creds

Authors: jheysel-r7, skelsec, smashery, and xpn
Type: Auxiliary
Pull request: #19952 contributed by jheysel-r7
Path: server/relay/relay_get_naa_credentials

Description: This adds a new module for obtaining NAA credentials from SCCM by authenticating through a relayed SMB connection.

Erlang OTP Pre-Auth RCE Scanner and Exploit

Authors: Horizon3 Attack Team, Martin Kristiansen, Matt Keeley, and mekhalleh (RAMELLA Sebastien)
Type: Exploit
Pull request: #20060 contributed by mekhalleh
Path: linux/ssh/ssh_erlangotp_rce
AttackerKB reference: CVE-2025-32433

Description: This adds a module which exploits CVE-2025-32433, a pre-authentication vulnerability in Erlang-based SSH servers
that allows for remote command execution as the root user. By sending crafted SSH packets, it executes a Metasploit payload to establish a session on the target system.

Enhancements and features (4)

• #20027 from e2002e - This adds support for Shodan facets.
• #20115 from cgranleese-r7 - Updates multiple HTTPS modules to support a new SSLKeyLogFile option, which facilitates decrypting messages exchanged by TLS. This can be used in diagnostic and logging tools that use this file - such as Wireshark.
• #20116 from bcoles - This adds support for .library-ms files in Windows SMB multi dropper.
• #20127 from bcoles - This improves the start up time of msfconsole when run with the default options by not sorting module options at load time.

Bugs fixed (1)

• #20148 from adfoster-r7 - This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.