Metasploit Releases 7 New Exploit Modules FreePBX Cacti

The Metasploit Framework received a notable update this week, delivering seven new exploit modules. These additions significantly enhance capabilities for penetration testers and red teamers, targeting several commonly used enterprise software platforms.

The highlight of this release is a sophisticated trio of modules directed at FreePBX, alongside critical remote code execution (RCE) capabilities for Cacti and SmarterMail.

This update underscores the continued risk posed by chaining authentication bypass flaws with secondary vulnerabilities to achieve full system compromise.

FreePBX Vulnerability Chaining

The most significant addition to the framework involves three distinct modules targeting FreePBX, an open-source GUI that controls Asterisk (PBX). Researchers Noah King and msutovsky-r7 have developed a method to chain multiple vulnerabilities to escalate privileges from an unauthenticated state to remote code execution.

The attack chain begins with CVE-2025-66039, an authentication bypass vulnerability that allows unauthorized actors to circumvent login protocols. Once the authentication barrier is breached, the framework offers two distinct paths to RCE.

The first exploit path leverages a SQL injection vulnerability identified as CVE-2025-61675. By injecting malicious SQL commands, an attacker can manipulate the database to insert a new job into the cron_job table, effectively scheduling the execution of arbitrary code.

Alternatively, the second module exploits CVE-2025-61678, an unrestricted file upload flaw present in the firmware upload function. This allows the attacker to upload a webshell directly to the server, granting immediate control.

A third auxiliary module in this set utilizes the same SQL injection flaw to simply create a rogue administrator account, demonstrating the versatility of the exploit chain.

Critical RCE in Cacti and SmarterMail

Beyond the VoIP sector, the update addresses severe flaws in monitoring and communication platforms. A new module targets Cacti, a popular network monitoring tool, specifically exploiting CVE-2025-24367.

This vulnerability affects versions prior to 1.2.29 and permits unauthenticated remote code execution via the graph template mechanism. Given Cacti’s widespread use in infrastructure monitoring, this module represents a high-priority test case for network administrators.

Simultaneously, the framework has added support for exploiting CVE-2025-52691 in SmarterTools SmarterMail. This unauthenticated file upload vulnerability relies on path traversal manipulation within the guid variable.

The module is notably versatile regarding the underlying operating system. If the target is running Windows, the exploit drops a webshell in the webroot directory. Conversely, if the target is a Linux environment, it achieves persistence and execution by creating a cron job in /etc/cron.d.

Persistence Tools and Core Fixes

The release also enhances post-exploitation capabilities with new persistence modules. A new Burp Suite extension persistence module allows attackers to install a malicious extension on both the Pro and Community versions, causing it to execute whenever the user launches the application. Additionally, the team has consolidated Windows and Linux SSH key persistence into a single, unified module to streamline operations.

On the maintenance front, several critical bugs were addressed. A formatting issue that prevented hash data from being compatible with the John the Ripper password cracker has been resolved.

Furthermore, a logic error in the SSH login scanner, which previously reported successful logins as failures when sessions could not be opened, has been fixed to ensure accurate reporting during engagements.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.