Last updated at Mon, 09 Jun 2025 20:08:57 GMT

ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20138 contributed by h4x-x0r
Path: admin/networking/thinmanager_traversal_upload
AttackerKB reference: CVE-2023-2917

Description: Adds an auxiliary module that targets CVE-2023-27855, a path traversal vulnerability in ThinManager <= v13.0.1 to upload an arbitrary file to the target system as SYSTEM.

ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20141 contributed by h4x-x0r
Path: admin/networking/thinmanager_traversal_upload2
AttackerKB reference: CVE-2023-2917

Description: Adds a module targeting CVE-2023-2917, a path traversal vulnerability in ThinManager <= v13.1.0, to upload an arbitrary file as system.

ThinManager Path Traversal (CVE-2023-27856) Arbitrary File Download

Authors: Michael Heinzl and Tenable
Type: Auxiliary
Pull request: #20139 contributed by h4x-x0r
Path: gather/thinmanager_traversal_download
AttackerKB reference: CVE-2023-27856

Description: Adds an auxiliary module targeting CVE-2023-27856, a path traversal vulnerability in ThinManager <= v13.0.1, to download an arbitrary file from the target system.

udev persistence

Author: Julien Voisin
Type: Exploit
Pull request: #19472 contributed by jvoisin
Path: linux/local/udev_persistence

Description: This adds a module for udev persistence for Linux targets. The module requires root access because it creates udev rules. It will create a rule under the directory /lib/udev/rules./ and a malicious binary containing the payload. Successful exploitation requires the presence of the at binary on the system.

Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution

Authors: CERT-EU, Piotr Bazydlo, Sonny Macdonald, and remmons-r7
Type: Exploit
Pull request: #20265 contributed by remmons-r7
Path: multi/http/ivanti_epmm_rce_cve_2025_4427_4428
AttackerKB reference: CVE-2025-4428

Description: Adds a module chaining CVE-2025-4427 and CVE-2025-4428 an authentication flaw allowing unauthenticated access to an administrator web API endpoint allowing for code execution via expression language injection on many versions of MobileIron Core (rebranded as Ivanti EPMM).

PHP Exec, PHP Command Shell, Bind TCP (via Perl)

Authors: Samy samy@samy.pl, Spencer McIntyre, cazz bmc@shmoo.com, and msutovsky-r7
Type: Payload (Adapter)
Pull request: #19976 contributed by msutovsky-r7

Description: This enables creation of PHP payloads wrapped around bash / sh commands.

This adapter adds the following payloads:

  • cmd/unix/php/bind_perl
  • cmd/unix/php/bind_perl_ipv6
  • cmd/unix/php/bind_php
  • cmd/unix/php/bind_php_ipv6
  • cmd/unix/php/download_exec
  • cmd/unix/php/exec
  • cmd/unix/php/meterpreter/bind_tcp
  • cmd/unix/php/meterpreter/bind_tcp_ipv6
  • cmd/unix/php/meterpreter/bind_tcp_ipv6_uuid
  • cmd/unix/php/meterpreter/bind_tcp_uuid
  • cmd/unix/php/meterpreter/reverse_tcp
  • cmd/unix/php/meterpreter/reverse_tcp_uuid
  • cmd/unix/php/meterpreter_reverse_tcp
  • cmd/unix/php/reverse_perl
  • cmd/unix/php/reverse_php
  • cmd/unix/php/shell_findsock

Enhancements and features (3)

  • #19900 from jvoisin - Updates multiple modules notes to now includes additional AKA (Also Known As) references for EquationGroup codenames.
  • #20263 from cdelafuente-r7 - Updates Metasploit to register VulnAttempts for both Exploit and Auxiliary modules.
  • #20277 from adfoster-r7 - Add support for Ruby 3.2.8.

Bugs fixed (7)

  • #20218 from jheysel-r7 - Fixes an issue in the web crawler's canonicalize method, which previously resulted in incorrect URIs being returned.
  • #20246 from bcoles - Fixes an issue within msfvenom when using zutto_dekiru encoder on a raw payload.
  • #20258 from zeroSteiner - Updates the datastore options in auxiliary/admin/ldap/shadow_credentials to reference the new LDAP datastore names.
  • #20260 from zeroSteiner - Updates the auxiliary/admin/ldap/change_password module to use the new LDAP datastore options.
  • #20273 from JohannesLks - This fixes multiple issues in the post/windows/manage/remove_host module that would occur when a line had multiple names on it or used tab characters instead of spaces.
  • #20275 from msutovsky-r7 - This fixes a bug in the auxiliary/scanner/sap/sap_router_info_request module what would cause it to crash when a corrupted packet was received.
  • #20281 from JohannesLks - This fixes an issue in the post/windows/manage/resolve_host module that would occur if the system wasn't installed to C:\.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.