Consistently Persistent
The Metasploit Framework has around 26 different modules which can be used to establish persistence on a target. Persistence modules help operators ensure they can maintain a consistent foothold within an environment once a target has been compromised and are quite helpful during longer engagements. Prior to this large effort, the categorization of these modules was largely inconsistent. In addition all of these modules shared similar code which has been refactored into a persistence mixin. All of the modules have been refactored to make use of the new mixin and have been moved and renamed in a consistent fashion: modules/exploits/*/persistence/*.rb or modules/exploits/<OS>/persistence/<persistence_technique>.rb
where the filename "persistence_technique" pertains to the service or way in which persistence is established ex: bash_profile.rb or init_systemd.rb. We're happy to announce almost all the PRs pertaining to effort have been landed. A special thanks to community contributor h00die for spearheading this effort.
New module content (3)
Commvault Command-Line Argument Injection to Traversal Remote Code Execution
Authors: Piotr Bazydlo, Sonny Macdonald, and remmons-r7
Type: Exploit
Pull request: #20507 contributed by remmons-r7
Path: windows/http/commvault_rce_cve_2025_57790_cve_2025_57791
AttackerKB reference: CVE-2025-57788
Description: This adds an unauthenticated remote code execution exploit chain for Commvault, tracked as CVE-2025-57790 and CVE-2025-57791. A command-line injection permits unauthenticated access to the 'localadmin' account, which then facilitates code execution via expression language injection. CVE-2025-57788 is also leveraged to leak the target host name, which is necessary knowledge to exploit the remote code execution chain. This module executes in the context of 'NETWORK SERVICE' on Windows.
Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution
Authors: Piotr Bazydlo and msutovsky-r7
Type: Exploit
Pull request: #20479 contributed by msutovsky-r7
Path: windows/http/sitecore_xp_cve_2025_34510
AttackerKB reference: CVE-2025-34510
Description: This adds two separate exploit modules which can be used to obtain unauthenticated RCE on Sitecore XP instances running versions 10 to 10.4. Both modules make use of a hardcoded password in a service account to bypass authentication, which is tracked as CVE-2025-34509. Then one module exploits an authenticated zip slip vulnerability in order to gain RCE tracked as CVE-2025-34510. The other module makes use of a vulnerability in the SiteCore PowerShell Extension, in versions prior to 7.0, which is common yet not installed by default. The SPE is vulnerable to unrestricted file upload up to version 7.0 (CVE-2025-3451). Using this vulnerability an attacker can upload a malicious ASPX file and gain remote code execution.
Sitecore XP CVE-2025-34511 Post-Authentication File Upload
Authors: Piotr Bazydlo and msutovsky-r7
Type: Exploit
Pull request: #20479 contributed by msutovsky-r7
Path: windows/http/sitecore_xp_cve_2025_34511
AttackerKB reference: CVE-2025-34511
Description: This adds two separate exploit modules which can be used to obtain unauthenticated RCE on Sitecore XP instances running versions 10 to 10.4. Both modules make use of a hardcoded password in a service account to bypass authentication, which is tracked as CVE-2025-34509. Then one module exploits an authenticated zip slip vulnerability in order to gain RCE tracked as CVE-2025-34510. The other module makes use of a vulnerability in the SiteCore PowerShell Extension, in versions prior to 7.0, which is common yet not installed by default. The SPE is vulnerable to unrestricted file upload up to version 7.0 (CVE-2025-3451). Using this vulnerability an attacker can upload a malicious ASPX file and gain remote code execution.
Enhancements and features (7)
- #20495 from h00die - Updates the apt_package_manager persistence module to use the new persistence mixin.
- #20497 from h00die - Modified the autostart persistence module to use the new persistence mixin.
- #20509 from h00die - This moves the motd exploit module into persistence category. It leverages new functionality for persistence modules, by adding persistence mixin.
- #20510 from h00die - Moves rc_local persistence module to the new persistence folder.
- #20520 from h00die - Pulls out the openrc functionality from the init persistence module and adds it as it's own new module which uses the new persistence mixin.
- #20521 from h00die - Pulls out the systemd functionality from the init persistence module and adds it as it's own new module which uses the new persistence mixin.
- #20525 from h00die - This moves the obsidian_plugin_persistence into persistence category. The module now contains new expanded functionality for persistence modules.
- #20526 from h00die - This moves the at_persistence module into the persistence category. The module now contains new expanded functionality for persistence modules.
Bugs fixed (6)
- #20514 from dledda-r7 - Fixes a regression during Meterpreter session startup by disabling automatic loading of the unhook extension which caused crashes on Windows 11 24H2+ systems.
- #20535 from zeroSteiner - Not written - add release notes directly to the pull request, then regenerate. Do not edit manually without ensuring the pull request has the release note present.
- #20537 from zeroSteiner - This fixes an error that would occur in the module cache when a file system path was not initialized.
- #20541 from zeroSteiner - This fixes a NoMethodError that was very recently introduced in the smb_login. Metasploit users will now be able to run the smb_login scanner without issue once again.
- #20542 from zeroSteiner - This fixes an edge case in the smb_login scanner when the authentication mode has been set to kerberos. When attempting to brute force the password of an account whose password has expired, operators would previous see all attempted passwords returning successful, due to how the KDC_ERR_KEY_EXPIRED status was parsed. Now the smb_login scanner will return not successful for any password of an account whose password has expired, even the correct but expired password, as no password is currently able to successfully authenticate.
- #20548 from xHector1337 - Fix an issue while performing samba share iteration in linux/samba/is_known_pipename.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.
