Metasploit Enhances Security Testing with Seven New Exploit Modules Targeting FreePBX, Cacti, and SmarterMail
The Metasploit Framework has recently expanded its capabilities by introducing seven new exploit modules, significantly enhancing penetration testing and red teaming efforts. These additions focus on vulnerabilities within widely used enterprise software, including FreePBX, Cacti, and SmarterMail, underscoring the persistent risks associated with authentication bypasses and remote code execution (RCE) vulnerabilities.
FreePBX Vulnerability Chain
A notable advancement in this update is the development of three modules targeting FreePBX, an open-source graphical user interface that manages Asterisk PBX systems. Security researchers Noah King and msutovsky-r7 have crafted an exploit chain that escalates privileges from an unauthenticated state to full remote code execution by chaining multiple vulnerabilities.
The attack sequence initiates with CVE-2025-66039, an authentication bypass flaw that allows unauthorized access to the system. Once this barrier is breached, attackers can proceed via two distinct paths:
1. SQL Injection Exploit (CVE-2025-61675): This vulnerability enables attackers to inject malicious SQL commands, allowing them to insert new jobs into the `cron_job` table and schedule arbitrary code execution.
2. Unrestricted File Upload (CVE-2025-61678): By exploiting this flaw, attackers can upload a webshell directly to the server, granting immediate control over the system.
Additionally, an auxiliary module utilizes the same SQL injection vulnerability to create rogue administrator accounts, demonstrating the exploit chain’s versatility.
Critical RCE Vulnerabilities in Cacti and SmarterMail
Beyond FreePBX, the Metasploit update addresses severe vulnerabilities in other critical platforms:
– Cacti (CVE-2025-24367): This vulnerability affects versions prior to 1.2.29 and permits unauthenticated remote code execution through the graph template mechanism. Given Cacti’s widespread use in network monitoring, this module is crucial for assessing infrastructure security.
– SmarterMail (CVE-2025-52691): This unauthenticated file upload vulnerability exploits path traversal within the `guid` variable. The module adapts to different operating systems:
– Windows: Deploys a webshell in the webroot directory.
– Linux: Establishes persistence by creating a cron job in `/etc/cron.d`.
Enhancements in Persistence and Core Functionality
The update also introduces new persistence modules to bolster post-exploitation capabilities:
– Burp Suite Extension Persistence: This module installs a malicious extension in both Pro and Community versions of Burp Suite, ensuring execution upon application launch.
– Unified SSH Key Persistence: Consolidating Windows and Linux SSH key persistence into a single module streamlines operations and enhances efficiency.
Additionally, critical bug fixes have been implemented:
– Hash Data Formatting: Resolved issues preventing compatibility with the John the Ripper password cracker.
– SSH Login Scanner Logic: Corrected errors that misreported successful logins as failures when sessions couldn’t be opened, ensuring accurate reporting during engagements.
Implications for Cybersecurity
The introduction of these modules highlights the ongoing need for vigilance in cybersecurity practices. By providing tools to exploit these vulnerabilities, Metasploit enables security professionals to identify and remediate weaknesses before malicious actors can exploit them. Organizations utilizing FreePBX, Cacti, or SmarterMail should prioritize updating their systems and applying necessary patches to mitigate potential risks.
