Last updated at Fri, 16 May 2025 20:09:45 GMT

New modules for everyone

This week’s release is packed with new module content. We have RCE modules for Car Rental System 1.0, Wordpress plugins SureTriggers, User Registration and Membership. We also have a persistence module for LINQPad software and an auxiliary module for POWERCOM UPSMON PRO. We have also added support for 32-bit architectures to our execute-assembly post module, which now supports injection of both 64-bit and 32-bit .NET assembly binaries.

New module content (5)

POWERCOM UPSMON PRO Path Traversal (CVE-2022-38120) and Credential Harvester (CVE-2022-38121)

Author: Michael Heinzl
Type: Auxiliary
Pull request: #20123 contributed by h4x-x0r
Path: gather/upsmon_traversal
AttackerKB reference: CVE-2022-38121

Description: This adds an auxiliary module for two vulnerabilities in POWERCOM UPSMON PRO: path traversal and credential harvesting. The first vulnerability allows users to traverse the path in URI and read arbitrary files with respect to privileges of a given user account. The second vulnerability allows access to sensitive credentials for UPSMON as they are stored in plaintext in a readable file.

Car Rental System 1.0 File Upload RCE (Authenticated)

Author: Aaryan Golatkar
Type: Exploit
Pull request: #20026 contributed by aaryan-11-x
Path: multi/http/carrental_fileupload_rce
AttackerKB reference: CVE-2024-57487

Description: This adds a module for a file upload vulnerability in Car Rental System 1.0. It requires administrator credentials to exploit.

WordPress SureTriggers Auth Bypass and RCE

Authors: Khaled Alenazi (Nxploited), Michael Mazzolini (mikemyers), and Valentin Lobstein
Type: Exploit
Pull request: #20146 contributed by Chocapikk
Path: multi/http/wp_suretriggers_auth_bypass
AttackerKB reference: CVE-2025-3102

Description: Adds a new exploit module for the WordPress SureTriggers plugin (≤ 1.0.78) that abuses CVE-2025-3102, an unauthenticated REST endpoint to create an administrative user and achieve remote code execution.

WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)

Authors: Valentin Lobstein and wesley (wcraft)
Type: Exploit
Pull request: #20159 contributed by Chocapikk
Path: multi/http/wp_user_registration_membership_escalation
AttackerKB reference: CVE-2025-2563

Description: This adds a module for a privilege escalation vulnerability in the User Registration and Membership plugin for Wordpress. It allows creating new users with administrator privileges.

LINQPad Deserialization Exploit

Authors: James Williams and msutovsky-r7 martin_sutovsky@rapid7.com
Type: Exploit
Pull request: #19777 contributed by msutovsky-r7
Path: windows/local/linqpad_deserialization_persistence
AttackerKB reference: CVE-2024-53326

Description: Adds a module to install persistence relying on CVE-2024-53326, a .NET deserialization vulnerability in the startup of Linqpad versions prior to 5.52.

Enhancements and features (3)

  • #20098 from smashery - Adds support for 32-bit execute-assembly, allowing injection of 64-bit or 32-bit .NET assembly.
  • #20126 from bcoles - This adds a Linux post-exploitation method to check Yama's ptrace_scope setting. It removes a round trip required to obtain the scope value making modules that require knowing it to run slightly faster.
  • #20173 from adfoster-r7 - Updates the web crawling modules to support HTTP logging.

Bugs fixed (8)

  • #20010 from lafried - This fixes missing Powershell signature, when SSH is trying to identify the platform.
  • #20111 from cdelafuente-r7 - Fixes an issue that prevented failed exploit attempts to be registered in the database correctly.
  • #20118 from zeroSteiner - This fixes the target option for smb_to_ldap module. The option RELAY_TARGETS is now outdated, RHOSTS should be used instead.
  • #20120 from bcoles - This fixes typos across many Windows post-exploit modules and adds missing metadata.
  • #20128 from bcoles - This fixes an IP address assignment in the auxiliary/bnat/bnat_router module.
  • #20142 from L-codes - Fixes a crash when running unknown commands in msfconsole when using specific versions of Ruby and bundler.
  • #20156 from bcoles - This fix typos and rubocop violations inside the post modules.
  • #20181 from bwatters-r7 - This fixes an issue in Metasploit's Wordpress login functionality that would cause it to fail for certain target configurations.

Documentation added (1)

  • #20151 from adfoster-r7 - Updates the Wiki to include the latest available download links.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.