National Cyber Warfare Foundation (NCWF)

Metasploit Wrap-Up 05 16 2025
0 user ratings		2025-05-16 16:48:05
milo
Red Team (CNA)
This week's release includes 5 new modules including RCEs for Car Rental System, and three Wordpress plugins. The execute-assembly post module was also updated with 32-bit support.

New modules for everyone


Metasploit Wrap-Up 05/16/2025

This week’s release is packed with new module content. We have RCE modules for Car Rental System 1.0, Wordpress plugins SureTriggers, User Registration and Membership. We also have a persistence module for LINQPad software and an auxiliary module for POWERCOM UPSMON PRO. We have also added support for 32-bit architectures to our execute-assembly post module, which now supports injection of both 64-bit and 32-bit .NET assembly binaries.


New module content (5)


POWERCOM UPSMON PRO Path Traversal (CVE-2022-38120) and Credential Harvester (CVE-2022-38121)


Author: Michael Heinzl

Type: Auxiliary

Pull request: #20123 contributed by h4x-x0r

Path: gather/upsmon_traversal

AttackerKB reference: CVE-2022-38121


Description: This adds an auxiliary module for two vulnerabilities in POWERCOM UPSMON PRO: path traversal and credential harvesting. The first vulnerability allows users to traverse the path in URI and read arbitrary files with respect to privileges of a given user account. The second vulnerability allows access to sensitive credentials for UPSMON as they are stored in plaintext in a readable file.


Car Rental System 1.0 File Upload RCE (Authenticated)


Author: Aaryan Golatkar

Type: Exploit

Pull request: #20026 contributed by aaryan-11-x

Path: multi/http/carrental_fileupload_rce

AttackerKB reference: CVE-2024-57487


Description: This adds a module for a file upload vulnerability in Car Rental System 1.0. It requires administrator credentials to exploit.


WordPress SureTriggers Auth Bypass and RCE


Authors: Khaled Alenazi (Nxploited), Michael Mazzolini (mikemyers), and Valentin Lobstein

Type: Exploit

Pull request: #20146 contributed by Chocapikk

Path: multi/http/wp_suretriggers_auth_bypass

AttackerKB reference: CVE-2025-3102


Description: Adds a new exploit module for the WordPress SureTriggers plugin (≤ 1.0.78) that abuses CVE-2025-3102, an unauthenticated REST endpoint to create an administrative user and achieve remote code execution.


WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)


Authors: Valentin Lobstein and wesley (wcraft)

Type: Exploit

Pull request: #20159 contributed by Chocapikk

Path: multi/http/wp_user_registration_membership_escalation

AttackerKB reference: CVE-2025-2563


Description: This adds a module for a privilege escalation vulnerability in the User Registration and Membership plugin for Wordpress. It allows creating new users with administrator privileges.


LINQPad Deserialization Exploit


Authors: James Williams and msutovsky-r7 [email protected]

Type: Exploit

Pull request: #19777 contributed by msutovsky-r7

Path: windows/local/linqpad_deserialization_persistence

AttackerKB reference: CVE-2024-53326


Description: Adds a module to install persistence relying on CVE-2024-53326, a .NET deserialization vulnerability in the startup of Linqpad versions prior to 5.52.


Enhancements and features (3)



  • #20098 from smashery - Adds support for 32-bit execute-assembly, allowing injection of 64-bit or 32-bit .NET assembly.

  • #20126 from bcoles - This adds a Linux post-exploitation method to check Yama's ptrace_scope setting. It removes a round trip required to obtain the scope value making modules that require knowing it to run slightly faster.

  • #20173 from adfoster-r7 - Updates the web crawling modules to support HTTP logging.


Bugs fixed (8)



  • #20010 from lafried - This fixes missing Powershell signature, when SSH is trying to identify the platform.

  • #20111 from cdelafuente-r7 - Fixes an issue that prevented failed exploit attempts to be registered in the database correctly.

  • #20118 from zeroSteiner - This fixes the target option for smb_to_ldap module. The option RELAY_TARGETS is now outdated, RHOSTS should be used instead.

  • #20120 from bcoles - This fixes typos across many Windows post-exploit modules and adds missing metadata.

  • #20128 from bcoles - This fixes an IP address assignment in the auxiliary/bnat/bnat_router module.

  • #20142 from L-codes - Fixes a crash when running unknown commands in msfconsole when using specific versions of Ruby and bundler.

  • #20156 from bcoles - This fix typos and rubocop violations inside the post modules.

  • #20181 from bwatters-r7 - This fixes an issue in Metasploit's Wordpress login functionality that would cause it to fail for certain target configurations.


Documentation added (1)



  • #20151 from adfoster-r7 - Updates the Wiki to include the latest available download links.


You can always find more documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2025/05/16/metasploit-wrap-up-05-16-2025/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.