New Modules & Adapters, and Improvements!
This week’s release brings new modules, additional adapter payloads and improvements to existing modules and features. These modules target software such as ThinManager, Remote for Mac, Roundcube and more. It also includes additional work from bcoles that improves the bootup time of Metasploit Framework, additional CVE support implemented by Chocapikk for the wp_suretriggers_auth_bypass module, and additional crash and bug fixes for datastore options in LDAP-related modules.
New module content (5)
ThinManager Path Traversal (CVE-2023-2915) Arbitrary File Delete
Authors: Michael Heinzl and Tenable Type: Auxiliary Pull request: #20140 contributed by h4x-x0r Path: admin/networking/thinmanager_traversal_delete AttackerKB reference: CVE-2023-2915
Description: : Adds a module targeting the path traversal vulnerability CVE-2023-2915 in ThinManager <= v13.1.0 to delete an arbitrary file from the target system as the SYSTEM user.
Maldoc in PDF Polyglot converter
Author: mekhalleh (RAMELLA Sebastien) Type: Auxiliary Pull request: #20072 contributed by mekhalleh Path: fileformat/maldoc_in_pdf_polyglot
Description: This adds a fileformat module for technique MalDoc in PDF, which hides malicious Word documents in PDF.
Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization
Authors: Kirill Firsov and Maksim Rogov Type: Exploit Pull request: #20291 contributed by vognik Path: multi/http/roundcube_auth_rce_cve_2025_49113 AttackerKB reference: CVE-2025-49113
Description: This adds module for CVE-2025-49113 - remote code execution by PHP object deserialization. The module requires user credentials for successful exploitation.
Remote for Mac Unauthenticated RCE
Author: Chokri Hammedi ( Type: Exploit Pull request: #20256 contributed by blue0x1 Path: osx/http/remote_for_mac_rce
Description: This adds new unauthenticated remote code execution (RCE) module for Remote for Mac software.
OS Command Exec
Authors: Spencer McIntyre Type: Payload (Adapter) Pull request: #20160 contributed by zeroSteiner
Description: Adds two PHP adapters, one for going to ARCH_CMD and one for coming from ARCH_CMD.
This adapter modifies the following payloads:
- php/unix/cmd/adduser
- php/unix/cmd/bind_awk
- php/unix/cmd/bind_busybox_telnetd
- php/unix/cmd/bind_inetd
- php/unix/cmd/bind_jjs
- php/unix/cmd/bind_lua
- php/unix/cmd/bind_netcat
- php/unix/cmd/bind_netcat_gaping
- php/unix/cmd/bind_netcat_gaping_ipv6
- php/unix/cmd/bind_nodejs
- php/unix/cmd/bind_perl
- php/unix/cmd/bind_perl_ipv6
- php/unix/cmd/bind_r
- php/unix/cmd/bind_ruby
- php/unix/cmd/bind_ruby_ipv6
- php/unix/cmd/bind_socat_sctp
- php/unix/cmd/bind_socat_udp
- php/unix/cmd/bind_stub
- php/unix/cmd/bind_zsh
- php/unix/cmd/generic
- php/unix/cmd/interact
- php/unix/cmd/pingback_bind
- php/unix/cmd/pingback_reverse
- php/unix/cmd/reverse
- php/unix/cmd/reverse_awk
- php/unix/cmd/reverse_bash
- php/unix/cmd/reverse_bash_telnet_ssl
- php/unix/cmd/reverse_bash_udp
- php/unix/cmd/reverse_jjs
- php/unix/cmd/reverse_ksh
- php/unix/cmd/reverse_lua
- php/unix/cmd/reverse_ncat_ssl
- php/unix/cmd/reverse_netcat
- php/unix/cmd/reverse_netcat_gaping
- php/unix/cmd/reverse_nodejs
- php/unix/cmd/reverse_openssl
- php/unix/cmd/reverse_perl
- php/unix/cmd/reverse_perl_ssl
- php/unix/cmd/reverse_php_ssl
- php/unix/cmd/reverse_python
- php/unix/cmd/reverse_python_ssl
- php/unix/cmd/reverse_r
- php/unix/cmd/reverse_ruby
- php/unix/cmd/reverse_ruby_ssl
- php/unix/cmd/reverse_socat_sctp
- php/unix/cmd/reverse_socat_tcp
- php/unix/cmd/reverse_socat_udp
- php/unix/cmd/reverse_ssh
- php/unix/cmd/reverse_ssl_double_telnet
- php/unix/cmd/reverse_stub
- php/unix/cmd/reverse_tclsh
- php/unix/cmd/reverse_zsh
Enhanced Modules (1)
Modules which have either been enhanced, or renamed:
- #20187 from Chocapikk - Adds another exploitation vector to the pre-existing wp_suretriggers_auth_bypass module. The module now supports both CVE-2023-27007 and CVE-2023-3102.
Enhancements and features (3)
- #19996 from hantwister - This detects the CxUIUSvcChannel named pipe on target systems.
- #20170 from bcoles - Improves the msfconsole bootup time by improving the method used to generate the unique IDs of modules.
- #20264 from zeroSteiner - This adds propagation of KERB-SUPERSEDED-BY-USER data when included in Kerberos error responses.
Bugs fixed (3)
- #20262 from bwatters-r7 - This fixes an issue with the auxiliary/gather/vmware_vcenter_vmdir_ldap module caused by some options that had been changed.
- #20283 from cdelafuente-r7 - This fixes an issue in the certifried module that was causing it to crash.
- #20300 from zeroSteiner - Fixes a regression that stopped Windows hosts from being correctly identified after running the smb_version module.
Documentation added (1)
- #20282 from SweilemCodes - This adds docs to the existing auxiliary/scanner/http/jenkins_enum module.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro