♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫
This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and another targeting FreePBX. Leading the enhancements is a granularization for LDAP queries allowing the omission of SACL data on security descriptors, as without the proper permissions the entire query of the security descriptor will fail if the SACL data is even just a part of the query.
New module content (2)
AVideo Encoder getImage.php Unauthenticated Command Injection
Authors: Valentin Lobstein [email protected] and arkmarta
Type: Exploit
Pull request: #21076 contributed by Chocapikk
Path: linux/http/avideo_encoder_getimage_cmd_injection
AttackerKB reference: CVE-2026-29058
Description: Adds an exploit module for CVE-2026-29058, an unauthenticated OS command injection in AVideo Encoder's getImage.php endpoint.
FreePBX filestore authenticated command injection
Authors: Cory Billington and Valentin Lobstein [email protected]
Type: Exploit
Pull request: #20719 contributed by Chocapikk
Path: unix/http/freepbx_filestore_cmd_injection
AttackerKB reference: CVE-2025-64328
Description: Adds a new Metasploit exploit module for FreePBX filestore authenticated command injection (CVE-2025-64328) with automatic vulnerable-version detection and full documentation, and renames the XorcomCompletePbx HTTP mixin to CompletePBX updating affected modules accordingly.
Enhancements and features (2)
- #20730 from zeroSteiner - This update modifies the ldap_query module to skip querying the SACL (System Access Control List) on security descriptors by default. This behavior is now controlled by a new option, LDAP::QuerySacl. This change is necessary when using a non-privileged user to query security descriptors via LDAP; otherwise, querying the SACL will cause the entire query to be blocked, resulting in no security descriptors being returned.
- #20997 from Nayeraneru - This adds a new OptTimedelta datastore option type. It enables module authors to specify a time duration and users to set it with a human-friendly syntax.
Bugs fixed (7)
- #20960 from g0tmi1k - This adds a DHCPINTERFACE option to the DHCP server mixin, allowing modules that start that server to specify a particular interface to bind to.
- #21020 from g0tmi1k - This makes a small change to the docs by removing two lines that were previously duplicated.
- #21024 from Aaditya1273 - Fixes a bug in the JSON-RPC msfrpcd functionality that incorrectly required SSL certificates to be present even when disabled with msfrpcd -S.
- #21025 from Hemang360 - Fixes a crash when calling the HTTP cookie jar with non-string values.
- #21028 from SilentSobs - Fixes a crash when using the reload_all command no module is present.
- #21081 from Hemang360 - Fixes a crash when using the windows/exec with non-ascii characters.
- #21139 from jheysel-r7 - This fixes a bug in the ldap_esc_vulnerable_cert_finder module that was preventing authentication from working when making a WinRM connection.
Documentation added (1)
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
