New module content (4)
ICTBroadcast Unauthenticated Remote Code Execution
Author: Valentin Lobstein Type: Exploit Pull request: #20446 contributed by Chocapikk Path: linux/http/ictbroadcast_unauth_cookie AttackerKB reference: CVE-2025-2611
Description: This adds a new module for CVE-2025-2611 - unauthenticated remote code execution in ICTBroadcast. The application evaluates certain cookies using backticks, which can lead to command injection.
Pandora ITSM authenticated command injection leading to RCE via the backup function
Author: h00die-gr3y [email protected] Type: Exploit Pull request: #20399 contributed by h00die-gr3y Path: linux/http/pandora_itsm_auth_rce_cve_2025_4653 AttackerKB reference: CVE-2025-4653
Description: This adds a new module for CVE-2025-4653 - authenticated remote code execution in Pandora ITSM. This module exploits a command injection vulnerability in the name backup setting on the application setup page of Pandora ITSM. This can be triggered by generating a backup with a malicious payload injected at the name parameter. The module requires valid application credentials. Alternatively, if a database is exposed, the module can create a new admin account by connecting to the database.
Malicious XDG Desktop File
Author: bcoles [email protected] Type: Exploit Pull request: #20423 contributed by bcoles Path: multi/fileformat/xdg_desktop
Description: This adds a file format module for XDG Desktop (.desktop) file.
Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)
Authors: Viettel Cyber Security and sfewer-r7 Type: Exploit Pull request: #20409 contributed by sfewer-r7 Path: windows/http/sharepoint_toolpane_rce CVE reference: ZDI-25-581
Description: This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft SharePoint Server. Read the Rapid7 CVE-2025-53770 blog post for more details.
Enhancements and features (1)
- #20418 from H4k1l - Updates the password cracking modules to now automatically detect the presence of JohnTheRipper or Hashcat binaries on the host filesystem when attempting to crack credentials.
Bugs fixed (8)
- #20372 from cgranleese-r7 - This updates the module cache logic and fixes a bug where newly added modules would not be automatically loaded.
- #20431 from Wopseeion - This fixes an ASN1 parsing error auxiliary/admin/kerberos/get_ticket that would occur when using PKINIT authentication with certain certificates.
- #20432 from cgranleese-r7 - Fixes an edge-case with the Metasploit RPC that caused module unique identifiers to be tracked incorrectly.
- #20437 from Desiree05 - This adds a fix for the auxiliary/dos/http/apache_range_dos module. Previously, the module did not work correctly due to the uninitialized variable uri. This change fixes that behavior by adding initialization for uri.
- #20438 from msutovsky-r7 - Fixes a bug in the upload_and_compile method where under certain circumstances we can call chmod on the wrong filename.
- #20448 from cgranleese-r7 - Fixes a bug when generating Powershell scripts. Previously it was possible for randomly generated variable names to be chosen that are reserved, which led to payload failures.
- #20450 from dledda-r7 - This bumps the Mettle payload version from 1.0.42 to 1.0.45. The changes include the fix for a bug that would occur when the ELF executable was converted to shellcode.
- #20454 from adfoster-r7 - Fixes a crash when running the show options command on some modules.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
