2 min
Metasploit
Metasploit Weekly Wrap-Up 04/19/24
Welcome Ryan and the new CrushFTP module
It's not every week we add an awesome new exploit module to the Framework while
adding the original discoverer of the vulnerability to the Rapid7 team as well.
We're very excited to welcome Ryan Emmons to the Emergent Threat Response team,
which works alongside Metasploit here at Rapid7. Ryan discovered an Improperly
Controlled Modification of Dynamically-Determined Object Attributes
vulnerability in CrushFTP (CVE-2023-43177) versions prior to 10.5.1 whic
2 min
Metasploit
Metasploit Weekly Wrap-Up 02/09/2024
Go go gadget Fortra GoAnywhere MFT Module
This Metasploit release contains a module for one of 2024's hottest
vulnerabilities to date: CVE-2024-0204. The path traversal vulnerability in
Fortra GoAnywhere MFT allows for unauthenticated attackers to access the
InitialAccountSetup.xhtml endpoint which is used during the products initial
setup to create the first administrator user. After setup has completed, this
endpoint is supposed to be no longer available. Attackers can use this
vulnerability
2 min
Metasploit
Metasploit Weekly Wrap Up: July 21, 2023
This week's weekly wrapup includes two new Metasploit modules - Piwigo Gather Credentials via SQL Injection ( CVE-2023-26876 ) and Openfire authentication bypass with RCE plugin (CVE-2023-32315)
3 min
Metasploit
Metasploit Weekly Wrap-Up: 3/24/23
Zxyel Routers Beware
This week we've released a module written by first time community contributor
shr70 [https://github.com/shr70] that can exploit roughly 45 different Zyxel
router and VPN models. The module exploits a buffer overflow vulnerability that
results in unauthenticated remote code execution on affected devices. It's rare
we see a module affect this many devices once and are excited to see this ship
in the framework. We hope pentesters and red-teamers alike can make good use of
this
4 min
Metasploit
Metasploit Weekly Wrap-Up: Mar. 10, 2023
Wowza, a new credential gatherer and login scanner!
This week Metasploit Framework gained a credential gatherer for Wowza Streaming
Engine Manager. Credentials for this application are stored in a file named
admin.password in a known location and the file is readable by default by
BUILTIN\Users on Windows and is world readable on Linux.. The module was written
by community contributor bcoles [https://github.com/bcoles] who also wrote a
login scanner for Wowza this week. The login scanner can b