Last updated at Thu, 22 May 2025 18:14:26 GMT
Making Metasploit faster
This week's wrap-up includes many new modules, but notably, we've upgraded Metasploit loading. Thanks to bcoles, the bootup performance when searching for a module has been increased in #20166. Also, we've reduced Metasploit startup time - in #20155.
New module content (6)
Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)
Authors: Alberto Solino and smashery
Type: Auxiliary
Pull request: #20175 contributed by smashery
Path: gather/kerberoast
Description: This adds a native Metasploit module for performing Kerberoast attacks. With the native module, users will no longer need to have Python or additional Python libraries in order to leverage the attack technique.
Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow
Authors: Christophe De La Fuente and Stephen Fewer
Type: Exploit
Pull request: #20112 contributed by cdelafuente-r7
Path: linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457
AttackerKB reference: CVE-2025-22457
Description: Adds an exploit module targeting CVE-2025-22457, a Stack-based Buffer Overflow vulnerability in Ivanti Connect Secure 22.7R2.5 and earlier.
Clinic's Patient Management System 1.0 - Unauthenticated RCE
Authors: Ashish Kumar and msutovsky-r7
Type: Exploit
Pull request: #20177 contributed by msutovsky-r7
Path: multi/http/clinic_pms_sqli_to_rce
AttackerKB reference: CVE-2025-3096
Description: Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.
Invision Community 5.0.6 customCss RCE
Authors: Egidio Romano (EgiX) and Valentin Lobstein
Type: Exploit
Pull request: #20214 contributed by Chocapikk
Path: multi/http/invision_customcss_rce
AttackerKB reference: CVE-2025-47916
Description: This adds a new exploit module for Invision Community versions up to and including 5.0.6, which is vulnerable to a remote-code injection in the theme editor’s customCss endpoint CVE-2025-47916. The module leverages the malformed {expression="…"} construct to evaluate arbitrary PHP expressions and supports both in-memory PHP payloads and direct system command execution.
Nextcloud Workflows Remote Code Execution
Authors: Armend Gashi, Enis Maholli, arianitisufi, and whotwagner
Type: Exploit
Pull request: #20020 contributed by whotwagner
Path: unix/webapp/nextcloud_workflows_rce
AttackerKB reference: CVE-2023-26482
Description: This adds a module for Nextcloud Workflow (CVE-2023-26482). Exploitation requires a set of valid credentials. The Nextcloud needs to have Workflow external script installed and enabled.
Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)
Authors: Michael Heinzl and SSD Secure Disclosure
Type: Exploit
Pull request: #20188 contributed by h4x-x0r
Path: windows/http/magicinfo_traversal
AttackerKB reference: CVE-2024-7399
Description: This adds a module for CVE-2024-7399 - arbitrary file write as system authority. The module drops a shell by exploiting this vulnerability, allowing remote code execution. The application communicates on TCP port 7001 for HTTP and TCP port 7002 for HTTPS.
Enhancements and features (3)
- #20155 from bcoles - This improves Metasploit reducing startup time.
- #20175 from smashery - This adds a native Metasploit module for performing Kerberoast attacks. With the native module, users will no longer need to have Python or additional Python libraries in order to leverage the attack technique.
- #20176 from smashery - This updates the ASREP roasting module (
auxiliary/gather/asrep) to store the hashes in the database.
Bugs fixed (4)
- #20166 from bcoles - Improves the bootup performance of
msfconsolewhen searching for module platform classes. - #20179 from adfoster-r7 - This bumps the version of Metasploit Payloads to include a fix for the Java Meterpreter's symlink handling on Windows.
- #20194 from adfoster-r7 - Fixes a bug in the thinkphp RCE module that opted it out of auto-exploitation in Metasploit Pro.
- #20207 from zeroSteiner - This adds a quick fix for the new auxiliary/gather/kerberoast module to ensure that the KrbCacheMode datastore option is used. This enables the user to instruct whether or not they want the module to use cached credentials or not.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
