Last updated at Fri, 03 Mar 2023 20:51:02 GMT
2022 Vulnerability Intelligence Report Released
Rapid7’s broader vulnerability research team released our 2022 Vulnerability Intelligence Report this week. The report includes Metasploit and research team data on exploitation, exploitability, and vulnerability profiles that are intended to help security teams understand and prioritize risk more effectively. Put simply, security teams have way too much to do in a threat climate that’s seen some pretty crazy escalation the past few years, and understanding attack trends can help them make better risk-based choices.
There are some longer threads on key findings on Twitter and Mastodon. Some of the highlights:
- Rapid7 researchers saw a modest decrease in both widespread exploitation and zero-day exploitation of new vulnerabilities in 2022. Alas, widespread threats are still the majority of 2022 vulnerabilities in our dataset, and are double what they were in 2020.
- Attackers keep getting faster — more than half the vulns in the report were exploited within a week.
- Ransomware CVE stats got weird in 2022. There are probably a lot of intersectional reasons for this.
Read the full report here!
New module content (4)
Softing Secure Integration Server Login Utility
Author: Imran E. Dawoodjee
Pull request: #17676 contributed by ide0x90
Description: This adds a login module for the Softing Secure Integration Server software.
Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload
Authors: HMs, l1k3beef, and sf
Pull request: #17624 contributed by sfewer-r7
AttackerKB reference: CVE-2022-21587
Description: This pull request adds an exploit module for an arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle E-Business Suite versions 12.2.3 through to 12.2.11, which results in remote code execution. This has been observed to have been exploited in the wild.
Lucee Authenticated Scheduled Job Code Execution
Author: Alexander Philiotis
Pull request: #17638 contributed by JBince
Description: This adds a module to execute code using Lucee's scheduled job functionality. The feature requires authentication as an administrator by default and allows a ColdFusion page to be rendered which is used to execute an OS command using the
cfexecte directive. The module works on both Linux and Windows targets.
Pull request: #17672 contributed by archcloudlabs
Description: This PR includes a post module that will disable ClamAV on Linux systems. The bug resides in the ClamAV Unix socket permitting any user to submit the "shutdown" command which will disable ClamAV.
Enhancements and features (2)
- #17635 from dwelch-r7 - Updates the
admin/kerberos/inspect_ticketmodule to display the ticket checksum and full PAC checksum
- #17699 from gwillcox-r7 - This adds SCHANNEL authentication support to LDAP modules.
Bugs fixed (5)
- #17562 from gwillcox-r7 - This fixes some incorrect Railgun definitions for the wldap32 Windows library.
- #17679 from adfoster-r7 - This PR fixes the broken payload selection for Metasploit RPC
- #17696 from zeroSteiner - The version of Metasploit Payloads in use by Metasploit has been bumped, which brings in support for the
getdesktopcommands to Python Meterpreters running on Windows, and also adds support for getting the handle of processes opened via the session. Additionally, fixes were made to support Python 2.5 and to fix the
getdesktopoutput of Python Meterpreters.
- #17697 from jheysel-r7 - This updates the
exploit/linux/http/froxlor_log_path_rcemodule to note that Foxlor 2.0.7 is the last vulnerable version.
- #17700 from zeroSteiner - The argument validation for the
routecommand has been reworked to improve the way it validates arguments and to print out more accurate error messages.
Documentation added (3)
- #17680 from adfoster-r7 - Improves the UX of the docs.metasploit.com module explorer. Adds 'expand all' and 'collapse all' buttons to the module explorer. Adds support for automatically opening descendant folders that only contain 1 item. Adds an additional parent folder to make it clearer to the user that the folders are clickable.
- #17687 from archcloudlabs - This PR contains additional examples on the ERB format required for the HTTPRawHeaders option for HTTP clients.
- #17695 from zeroSteiner - The LDAP query and collection projects have been removed from the GSOC 2023 list since they have already been implemented in https://github.com/rapid7/metasploit-framework/pull/16598.
You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).