A significant Metasploit Framework update (version 6.4.111) featuring seven new exploit modules that target critical vulnerabilities across widely deployed enterprise systems.
This release demonstrates the increasing sophistication of attack chains leveraging authentication bypass vulnerabilities chained with subsequent code execution techniques.
FreePBX Vulnerability Chain Takes Center Stage
Rapid7 introduces three specialized modules targeting FreePBX, a popular open-source IP PBX system used by enterprises for telephony infrastructure.
These modules exploit a critical authentication bypass vulnerability (CVE-2025-66039) as an entry point, which unauthenticated attackers can leverage to interact with the system without credentials.
From this initial foothold, threat actors can execute two distinct attack paths. The first chains the authentication bypass with a SQL injection vulnerability (CVE-2025-61675) to inject malicious cron jobs into the database, achieving remote code execution.
The second path leverages an unrestricted file upload vulnerability (CVE-2025-61678) within the firmware upload functionality to deploy webshells directly to the webserver.
Additionally, an auxiliary module enables attackers to create administrative database accounts by combining the same authentication bypass with the SQL injection flaw.
Beyond FreePBX, the update addresses critical vulnerabilities in other enterprise systems. A new Cacti exploit module targets CVE-2025-24367, an unauthenticated remote code execution flaw affecting Cacti versions prior to 1.2.29.
Cacti, widely used for network monitoring and graphing, represents significant exposure for infrastructure-dependent organizations.
SmarterTools SmarterMail users face threats from CVE-2025-52691, an unauthenticated file upload vulnerability exploitable through path traversal via the guid parameter.
| Module Name | CVE | Vulnerability Type | Impact |
|---|---|---|---|
| FreePBX Custom Extension SQLi to RCE | CVE-2025-61675 | Auth Bypass + SQLi | Remote Code Execution |
| FreePBX Firmware File Upload | CVE-2025-61678 | Auth Bypass + File Upload | Remote Code Execution |
| FreePBX Custom Extension Injection | CVE-2025-61675 | Auth Bypass + SQLi | Administrative Access |
| Cacti Graph Template RCE | CVE-2025-24367 | Unauthenticated RCE | Remote Code Execution |
| SmarterMail GUID File Upload | CVE-2025-52691 | Path Traversal + File Upload | Remote Code Execution |
| BurpSuite Extension Persistence | N/A | Malicious Extension | Persistent Access |
| SSH Key Persistence | N/A | Key Generation | Persistent Access |
The Metasploit module adapts its payload delivery based on the target operating system, deploying webshells on Windows systems or establishing persistence through cron jobs on Linux systems.
Persistence and Post-Exploitation Capabilities
Two new persistence modules extend post-exploitation capabilities. The BurpSuite persistence module injects malicious extensions into both Pro and Community editions, maintaining access whenever the application launches.
An SSH key persistence module consolidates Windows and Linux SSH key generation techniques, enabling long-term backdoor access across diverse infrastructure environments.
Organizations deploying FreePBX, Cacti, or SmarterMail systems should prioritize security assessments and implement the latest patches.
System administrators can access updated Metasploit Framework modules through msfupdate or by cloning the master branch from the GitHub repository.
The comprehensive nature of these exploit modules underscores the critical importance of maintaining current vulnerability patching protocols across enterprise infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.