FreeBPX Content Galore
This week brings 3 new pieces of module content for targeting FreePBX. All three chain multiple vulnerabilities together, starting with CVE-2025-66039. This initial vulnerability allows unauthenticated users to bypass the authentication process to interact with FreePBX. From this point, the different modules leverage either a SQL injection vulnerability (CVE-2025-61675) or a file upload vulnerability (CVE-2025-61678) to obtain remote code execution.
New module content (7)
FreePBX endpoint SQLi to RCE
Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20857 contributed by msutovsky-r7 Path: unix/http/freepbx_custom_extension_rce AttackerKB reference: CVE-2025-61675
Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with a SQLi, CVE-2025-61675, which allows for a cron job to be added to the cron_job table of the database to allow for Remote Code Execution.
FreePBX firmware file upload
Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20858 contributed by msutovsky-r7 Path: unix/http/freepbx_firmware_file_upload AttackerKB reference: CVE-2025-61678
Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with an unrestricted file upload (via firmware upload), CVE-2025-61678, which allows for a webshell to be uploaded to the webserver resulting in remote code execution.
FreePBX Custom Extension SQL Injection
Authors: Noah King and msutovsky-r7 Type: Auxiliary Pull request: #20846 contributed by msutovsky-r7 Path: gather/freepbx_custom_extension_injection AttackerKB reference: CVE-2025-61675
Description: This adds an exploit module for FreePBX which chains an authentication bypass, (CVE-2025-66039) with an SQLi (CVE-2025-61675) to create an admin user in the database.
Cacti Graph Template authenticated RCE versions prior to 1.2.29
Authors: Jack Heysel and chutchut Type: Exploit Pull request: #20799 contributed by jheysel-r7 Path: multi/http/cacti_graph_template_rce AttackerKB reference: CVE-2025-24367
Description: This adds an exploit for CVE-2025-24367 which is an unauthenticated RCE in Cacti.
SmarterTools SmarterMail GUID File Upload Vulnerability
Authors: Piotr Bazydlo, Sina Kheirkhah, and jheysel-r7 Type: Exploit Pull request: #20866 contributed by jheysel-r7 Path: multi/http/smartermail_guid_file_upload AttackerKB reference: CVE-2025-52691
Description: This adds a module for unauthenticated file upload in SmarterTools SmaterMail (CVE-2025-52691). The vulnerability allows an unauthenticated user to upload a file to any location on the system using path traversal using the guid variable. The module will either drop a webshell in the webroot directory (if the target is Windows) or create a cron job by dropping a file in /etc/cron.d (if the target is Linux).
Burp Extension Persistence
Author: h00die Type: Exploit Pull request: #19821 contributed by h00die Path: multi/persistence/burp_extension
Description: This adds a new persistence module for BurpSuite. The module adds a malicious extension to both the Pro and Community versions, which is triggered when the user starts BurpSuite.
SSH Key Persistence
Authors: Dean Welch [email protected] and h00die [email protected] Type: Exploit Pull request: #20778 contributed by h00die Path: multi/persistence/ssh_key
Description: Combines the Windows and Linux ssh key persistence modules.
Enhancements and features (1)
Bugs fixed (3)
- #20897 from h00die - This fixes a bug that was preventing collected hash data from being formatted as input for the John the Ripper cracker. The result is that users can now once again crack passwords using John.
- #20902 from rudraditya21 - This fixes a bug in the auxiliary/scanner/ssh/ssh_login module that would incorrectly state that a login failed when it in fact succeeded but the module was unable to open a session. This was only an issue when the CreateSession option is true.
- #20909 from adfoster-r7 - Fixes a bug in Metasploit Pro that reported false positives for HTTP bruteforcing.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
