This week, we have added 10 new modules to Metasploit Framework including an SMB to MSSQL relay module, a remote code execution module targeting Fortinet software, additional 32-bit and 64-bit RISC-V payloads, and more.
The SMB to MSSQL NTLM relay module allows users to open MSSQL sessions and run arbitrary queries against a target upon success. This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server. This allows for more attack paths, credential gatehering, as well as unlocking additional lateral movement and data exfiltration capabilities.
New module content (10)
Microsoft Windows SMB to MSSQL Relay
Author: Spencer McIntyre Type: Auxiliary Pull request: #20637 contributed by zeroSteiner Path: server/relay/smb_to_mssql
Description: Adds a new NTLM relay module for relaying from SMB to MSSQL servers. On success, an MSSQL session will be opened to allow the user to run arbitrary queries and some modules.
Fortinet FortiWeb unauthenticated RCE
Authors: Defused and sfewer-r7 Type: Exploit Pull request: #20717 contributed by sfewer-r7 Path: linux/http/fortinet_fortiweb_rce AttackerKB reference: CVE-2025-58034
Description: Adds a new module chaining FortiWeb vulnerabilities CVE-20205-64446 and CVE-2025-58034 to gain unauthenticated code execution on a FortiWeb server.
IGEL OS Privilege Escalation (via systemd service)
Author: Zack Didcott Type: Exploit Pull request: #20702 contributed by Zedeldi Path: linux/local/igel_network_priv_esc
Description: Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.
IGEL OS Persistent Payload
Author: Zack Didcott Type: Exploit Pull request: #20702 contributed by Zedeldi Path: linux/persistence/igel_persistence
Description: Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.
Flowise Custom MCP Remote Code Execution
Authors: Assaf Levkovich and Valentin Lobstein [email protected] Type: Exploit Pull request: #20705 contributed by Chocapikk Path: multi/http/flowise_custommcp_rce AttackerKB reference: CVE-2025-8943
Description: This adds two modules for two vulnerabilities in Flowise (CVE-2025-59528, CVE-2025-8943). The modules add an option to use Flowise credentials for authentication when the application requires it, enabling exploitation of vulnerabilities.
Flowise JS Injection RCE
Authors: Kim SooHyun (im-soohyun), Valentin Lobstein [email protected], and nltt0 Type: Exploit Pull request: #20705 contributed by Chocapikk Path: multi/http/flowise_js_rce AttackerKB reference: CVE-2025-59528
Description: This adds two modules for two vulnerabilities in Flowise (CVE-2025-59528, CVE-2025-8943). The modules add an option to use Flowise credentials for authentication when the application requires it, enabling exploitation of vulnerabilities.
Notepad++ Plugin Persistence
Author: msutovsky-r7 Type: Exploit Pull request: #20685 contributed by msutovsky-r7 Path: windows/persistence/notepadpp_plugin_persistence
Description: Adds a persistence module for Notepad++ by adding a malicious plugin to Notepad++, as it blindly loads and executes DLLs from its plugin directory on startup.
Linux Chmod 32-bit
Author: bcoles [email protected] Type: Payload (Single) Pull request: #20703 contributed by bcoles Path: linux/riscv32le/chmod
Description: Adds Linux RISC-V 32-bit / 64-bit Little Endian chmod payloads.
Linux Chmod 64-bit
Author: bcoles [email protected] Type: Payload (Single) Pull request: #20703 contributed by bcoles Path: linux/riscv64le/chmod
Description: Adds Linux RISC-V 32-bit / 64-bit Little Endian chmod payloads.
IGEL OS Dump File
Author: Zack Didcott Type: Post Pull request: #20702 contributed by Zedeldi Path: linux/gather/igel_dump_file
Description: Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.
Bugs fixed (3)
- #20482 from rodolphopivetta - This fixes a bug in HTTP-based login scanners, when SSL is enabled and a non-default HTTPS port is used.
- #20693 from dledda-r7 - This fixes race condition in preloading extension klasses during bootstrap.
- #20721 from cpomfret-r7 - Fixes a crash when running a Nexpose scan that had a Nexpose Scan Assistant credential present.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
Metasploit Wrap-Up 11/28/2025
Source: Rapid7
Source Link: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025