Newsy.co

Metasploit Wrap-Up 04/04/2025

New RCEs

Metasploit Wrap-Up 04/04/2025

Metasploit added four new modules this week, including three that leverage vulnerabilities to obtain remote code execution (RCE). Among these three, two leverage deserialization, showing that the exploit primitive is still going strong. The Tomcat vulnerability in particular CVE-2025-24813 garnered a lot of attention when it was disclosed; however, to function, the exploit requires specific conditions to be met, which may not be present in many environments.

AD CS / PKCS12 Improvements

With the popularity of exploiting AD CS misconfigurations over the past couple of years, Metasploit has been continuing to iterate over our support. This week saw two improvements; one added additional error handling, which notably calls out authorization errors more clearly to the user. These errors, now labeled no-access failures, are encountered when the user is successfully authenticated but lacks authorization privileges to enroll on either the certificate template or the certificate authority server. Additionally, Metasploit's support for PKCS12 certificate storage is actively being improved. This week, a milestone was reached allowing additional metadata to be stored with the certificate, which, in the future, will enable more streamlined use of stored certificate data. This new metadata includes the password to decrypt the PKCS12 data, the CA that issued the certificate and AD CS template it was derived from.

New module content (4)

pfSense Login Scanner

Author: sjanusz-r7
Type: Auxiliary
Pull request: #19985 contributed by sjanusz-r7
Path: scanner/http/pfsense_login

Description: This adds a login scanner module for pfSense which can be used to brute force valid credentials to the web GUI.

CmsMadeSimple Authenticated File Manager RCE

Authors: Mirabbas Ağalarov, Okan Kurtuluş, and tastyrice
Type: Exploit
Pull request: #19980 contributed by tastyrce
Path: multi/http/cmsms_file_manager_auth_rce
AttackerKB reference: CVE-2023-36969

Description: This adds an exploit module for CMSMadeSimple <= v2.2.21, which is vulnerable to an authenticated RCE (CVE-2023-36969).

Tomcat Partial PUT Java Deserialization

Authors: Calum Hutton, h4ck3r-04, and sw0rd1ight
Type: Exploit
Pull request: #19995 contributed by chutton-r7
Path: multi/http/tomcat_partial_put_deserialization
AttackerKB reference: CVE-2025-24813

Description: This adds an exploit module for CVE-2025-24813, which is an unauthenticated, constrained file write vulnerability in Apache Tomcat.

Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit

Authors: Dylan Pindur and machang-r7
Type: Exploit
Pull request: #19947 contributed by machang-r7
Path: windows/http/sitecore_xp_cve_2025_27218
AttackerKB reference: CVE-2025-27218

Description: This adds an exploit module for CVE-2025-27217, an unauthenticated .NET deserialization vulnerability for Sitecore.

Enhancements and features (4)

  • #19606 from cgranleese-r7 - This updates the LDAP modules to use datastore options for authentication that are prefixed with LDAP, allowing them to be used as larger workflows that merge datastore options for multiple protocols.
  • #19736 from cdelafuente-r7 - This update adds support for the new Pkcs12 data format, allowing the CA and ADCS template to be stored as metadata in the database. Additionally, Pkcs12 passwords can now be stored as metadata, with validation ensuring correct passwords are provided when adding encrypted Pkcs12 files using the creds command.
  • #19984 from zeroSteiner - This improves AD CS workflows by adding additional error handing.
  • #19991 from zeroSteiner - This adds some new tests for LoginScanners. It ensures that the LoginScanners follow a common interface for initialization, most notably that they take a single argument containing the configuration as a hash.

Bugs fixed (3)

  • #19934 from sfewer-r7 - This addresses several bugs in the exploit/linux/misc/cisco_ios_xe_rce module, which was failing for Cisco IOS XE version 17.06.05 on C8000v series appliances. Fixes include correcting the /webui URI to /webui/ (with a trailing slash) and adjusting the case sensitivity in the /webui_wsma_https URI for both CSR1000v and C8000v appliances. Additionally, the module now properly distinguishes between HTTPS and HTTP targets, ensuring compatibility with both appliance series.
  • #19993 from h00die-gr3y - This fixes an issue where payloads using cmd/base64 encoder with badchars \x20 (space) failed due to syntax errors in POSIX shells when ${IFS} followed parentheses. Removed unnecessary spaces from the payload to ensure proper execution in Unix-based environments.
  • #19998 from sjanusz-r7 - Fixes a crash when running the auxiliary/crawler/msfcrawler module.

Documentation

  • #19979 from bwatters-r7 - This adds documentation that describes when a module submission may be superseded.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.4.55...6.4.56
  • Full diff 6.4.55...6.4.56

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro