National Cyber Warfare Foundation (NCWF)

Metasploit Wrap-Up 05 09 2025


0 user ratings
2025-05-09 17:16:35
milo
Red Team (CNA)

New Toys and New Techniques


This release features a new OPNSense login scanner, a module targeting the Sante PACS path traversal vulnerability, an additional method for stealing Network Access Account credentials via SMB to HTTP relay, and the Erlang/OTP SSH exploit everyone was excited about.


New module content (4)



New Toys and New Techniques


Metasploit Wrap-Up 05/09/2025

This release features a new OPNSense login scanner, a module targeting the Sante PACS path traversal vulnerability, an additional method for stealing Network Access Account credentials via SMB to HTTP relay, and the Erlang/OTP SSH exploit everyone was excited about.


New module content (4)


Sante PACS Server Path Traversal (CVE-2025-2264)


Authors: Michael Heinzl and Tenable

Type: Auxiliary

Pull request: #20124 contributed by h4x-x0r

Path: gather/pacsserver_traversal

AttackerKB reference: CVE-2025-2264


Description: This adds an auxiliary module for CVE-2025-2264. The vulnerability is present in Sante PACS Server and allows an attacker to perform path traversal to read arbitrary files.


OPNSense Login Scanner


Author: sjanusz-r7

Type: Auxiliary

Pull request: #19992 contributed by sjanusz-r7

Path: scanner/http/opnsense_login


Description: This adds a login scanner module for OPNSense.


SMB to HTTP relay version of Get NAA Creds


Authors: jheysel-r7, skelsec, smashery, and xpn

Type: Auxiliary

Pull request: #19952 contributed by jheysel-r7

Path: server/relay/relay_get_naa_credentials


Description: This adds a new module for obtaining NAA credentials from SCCM by authenticating through a relayed SMB connection.


Erlang OTP Pre-Auth RCE Scanner and Exploit


Authors: Horizon3 Attack Team, Martin Kristiansen, Matt Keeley, and mekhalleh (RAMELLA Sebastien)

Type: Exploit

Pull request: #20060 contributed by mekhalleh

Path: linux/ssh/ssh_erlangotp_rce

AttackerKB reference: CVE-2025-32433


Description: This adds a module which exploits CVE-2025-32433, a pre-authentication vulnerability in Erlang-based SSH servers

that allows for remote command execution as the root user. By sending crafted SSH packets, it executes a Metasploit payload to establish a session on the target system.


Enhancements and features (4)



  • #20027 from e2002e - This adds support for Shodan facets.

  • #20115 from cgranleese-r7 - Updates multiple HTTPS modules to support a new SSLKeyLogFile option, which facilitates decrypting messages exchanged by TLS. This can be used in diagnostic and logging tools that use this file - such as Wireshark.

  • #20116 from bcoles - This adds support for .library-ms files in Windows SMB multi dropper.

  • #20127 from bcoles - This improves the start up time of msfconsole when run with the default options by not sorting module options at load time.


Bugs fixed (1)



  • #20148 from adfoster-r7 - This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.


Documentation


You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.




Source: Rapid7
Source Link: https://blog.rapid7.com/2025/05/09/metasploit-wrap-up-05-09-2025/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.