Twonky Auth Bypass, RCEs and RISC-V Reverse Shell Payloads
This was another fantastic week in terms of PR contribution to the Metasploit Framework. Rapid7’s very own Ryan Emmons recently disclosed CVE-2025-13315 and CVE-2025-13316 which exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). The auxiliary module Ryan submitted which exploits both of these CVEs was released this week. Community contributor Valentin Lobsein aka Chocapikk has returned to the PR queue with a welcomed vengeance. Two modules from Chocapikk were landed this week, a Monsta FTP downloadFile Remote Code Execution module along with a WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE. In addition to some awesome module content, community contributor bcoles added Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.
New module content (5)
Twonky Server Log Leak Authentication Bypass
Author: remmons-r7
Type: Auxiliary
Pull request: #20709 contributed by remmons-r7
Path: gather/twonky_authbypass_logleak
AttackerKB reference: CVE-2025-13316
Description: This module exploits two CVEs: CVE-2025-13315 and CVE-2025-13316. Both CVEs exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). Then, because the module uses hardcoded keys, it decrypts those credentials.
Monsta FTP downloadFile Remote Code Execution
Authors: Valentin Lobstein [email protected], msutovsky-r7, and watchTowr Labs
Type: Exploit
Pull request: #20718 contributed by Chocapikk
Path: multi/http/monsta_ftp_downloadfile_rce
AttackerKB reference: CVE-2025-34299
Description: This add module for CVE-2025-34299. The module exploits a vulnerability in the downloadFile action which allows an attacker to connect to a malicious FTP server and download arbitrary files to arbitrary locations on the Monsta FTP server.
WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE
Authors: Emiliano Versini, Khaled Alenazi (Nxploited), Valentin Lobstein [email protected], and dledda-r7
Type: Exploit
Pull request: #20720 contributed by Chocapikk
Path: multi/http/wp_ai_engine_mcp_rce
AttackerKB reference: CVE-2025-11749
Description: This adds a new exploit module for an unauthenticated vulnerability in the WordPress AI Engine plugin, which has over 100,000 active installations. The vulnerability allows an attacker to create an administrator account via the MCP (Model Context Protocol) endpoint without authentication, then upload and execute a malicious plugin to achieve remote code execution. The vulnerability is being tracked as CVE-2025-11749.
Linux Command Shell, Reverse TCP Inline
Authors: bcoles [email protected] and modexp
Type: Payload (Single)
Pull request: #20712 contributed by bcoles
Path: linux/riscv32le/shell_reverse_tcp
Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.
Linux Command Shell, Reverse TCP Inline
Authors: bcoles [email protected] and modexp
Type: Payload (Single)
Pull request: #20712 contributed by bcoles
Path: linux/riscv64le/shell_reverse_tcp
Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.
Enhancements and features (3)
- #20658 from jheysel-r7 - This adds a number of accuracy enhancements to the ldap_esc_vulnerable_cert_finder module. It also adds a CertificateAuthorityRhost datastore option to the esc_update_ldap_object module so the operator can specify an IP Address explicitly in cases where the hostname cannot be resolved via DNS.
- #20677 from zeroSteiner - This enables sessions to MSSQL servers that require encryption. These changes add a new MsTds::Channel which leverages Rex's socket abstraction to facilitate the necessary encapsulation for the TLS negotiation.
- #20741 from SaiSakthidar - This removes CAIN as an output format for collected hashes.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
