Metasploit Releases 7 New Exploit Modules covering FreePBX, Cacti and SmarterMail

The latest update to the Metasploit Framework this week provides a significant enhancement for penetration testers and red teamers, introducing seven new exploit modules targeting commonly used enterprise software.

The highlight of this release is a sophisticated trio of modules directed at FreePBX, alongside critical remote code execution (RCE) capabilities for Cacti and SmarterMail.

This update underscores the continued risk posed by chaining authentication bypass flaws with secondary vulnerabilities to achieve full system compromise.

FreePBX Vulnerability Chaining

The most significant addition to the framework involves three distinct modules targeting FreePBX, an open-source GUI that controls Asterisk (PBX). Researchers Noah King and msutovsky-r7 have developed a method to chain multiple vulnerabilities to escalate privileges from an unauthenticated state to remote code execution.

The attack chain begins with CVE-2025-66039, an authentication bypass vulnerability that allows unauthorized actors to circumvent login protocols. Once the authentication barrier is breached, the framework offers two distinct paths to RCE.

The first exploit path leverages a SQL injection vulnerability identified as CVE-2025-61675. By injecting malicious SQL commands, an attacker can manipulate the database to insert a new job into the cron_job table, effectively scheduling the execution of arbitrary code.

Alternatively, the second module exploits CVE-2025-61678, an unrestricted file upload flaw present in the firmware upload function. This allows the attacker to upload a webshell directly to the server, granting immediate control.

A third auxiliary module in this set utilizes the same SQL injection flaw to simply create a rogue administrator account, demonstrating the versatility of the exploit chain.

Critical RCE in Cacti and SmarterMail

Beyond the VoIP sector, the update addresses severe flaws in monitoring and communication platforms. A new module targets Cacti, a popular network monitoring tool, specifically exploiting CVE-2025-24367.

This vulnerability affects versions prior to 1.2.29 and permits unauthenticated remote code execution via the graph template mechanism. Given Cacti’s widespread use in infrastructure monitoring, this module represents a high-priority test case for network administrators.

Simultaneously, the framework has added support for exploiting CVE-2025-52691 in SmarterTools SmarterMail. This unauthenticated file upload vulnerability relies on path traversal manipulation within the guid variable.

The module is notably versatile regarding the underlying operating system. If the target is running Windows, the exploit drops a webshell in the webroot directory. Conversely, if the target is a Linux environment, it achieves persistence and execution by creating a cron job in /etc/cron.d.

The release also enhances post-exploitation capabilities with new persistence modules. A new Burp Suite extension persistence module allows attackers to install a malicious extension on both the Pro and Community versions, causing it to execute whenever the user launches the application. Additionally, the team has consolidated Windows and Linux SSH key persistence into a single, unified module to streamline operations.

On the maintenance front, several critical bugs were addressed. A formatting issue that prevented hash data from being compatible with the John the Ripper password cracker has been resolved.

Furthermore, a logic error in the SSH login scanner, which previously reported successful logins as failures when sessions could not be opened, has been fixed to ensure accurate reporting during engagements.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.