Weaponizing a text editor for fun and profit
Gather round, dear readers, because today, we (by we, we mean @h00die) dropped the ultimate persistence mechanism: Vim plugin persistence. And honestly, calling it “persistence” feels redundant — Vim is already the most persistent thing ever. Somewhere, somehow, there will still be a Vim session open since 2011, because no one has figured out how to close it. So we are not so much establishing a foothold here as we are joining an existing hostage situation.
Elsewhere this week, Marvell’s QConvergeConsole has been caught handing arbitrary files to unauthenticated visitors, as is tradition (CVE-2025-6793), GestioIP 3.5.7 ships an upload handler, so trusting it will cheerfully let an admin overwrite the handler with a backdoor and then dutifully execute it (CVE-2024-48760). And of course, we can’t forget about Dolibarr ERP/CRM, which blocks PHP injections by checking — and we cannot stress this enough — by searching for string
New module content (4)
Marvell QConvergeConsole Path Traversal (CVE-2025-6793)
Authors: Michael Heinzl and rgod
Type: Auxiliary
Pull request: #21322 contributed by h4x-x0r
Path: gather/qconvergeconsole_traversal
CVE reference: ZDI-25-450
Description: This adds a new auxiliary module that exploits a path traversal vulnerability (CVE-2025-6793) in Marvell QConvergeConsole to read arbitrary files from the target host. Marvell QConvergeConsole versions 5.5.0.85 and earlier are vulnerable, and no authentication is required to exploit the issue.
VIM Plugin Persistence
Author: h00die
Type: Exploit
Pull request: #21206 contributed by h00die
Path: linux/persistence/vim_plugin
Description: This adds a new Linux persistence module, which establishes persistence by writing a Vim plugin to the target user’s ~/.vim/plugin/ directory. The next time that user launches Vim, the plugin executes the configured payload and opens a new session as that user.
GestioIP 3.5.7 Remote Command Execution
Authors: maxibelino and odeez24
Type: Exploit
Pull request: #21041 contributed by Odeez24
Path: multi/http/gestioip_rce
AttackerKB reference: CVE-2024-48760
Description: This adds an exploit module for an authenticated remote code execution vulnerability in GestioIP 3.5.7 (CVE-2024-48760). An attacker with admin credentials can abuse the unsafe upload handler at /api/upload.cgi to overwrite the script itself with a backdoor, which is then invoked to execute attacker-supplied commands.
Dolibarr ERP/CRM Authenticated Code Injection
Authors: Emanuele Cervelli and Tinexta Cyber Offensive Security Team
Type: Exploit
Pull request: #21362 contributed by M4nu02
Path: unix/http/dolibarr_cms_rce_cve_2023_30253
AttackerKB reference: CVE-2023-30253
Description: This adds a new exploit module for Dolibarr ERP/CRM (CVE-2023-30253), an authenticated PHP code injection vulnerability affecting versions before 17.0.1. The module abuses the Website module to inject a payload that bypasses Dolibarr’s PHP tag filter by using uppercase
Enhancements and features (1)
- #20617 from Aaditya1273 – Adds an OptArray datastore option type to the framework. Previously multi valued datastore options were usually input as comma separated strings, now Metasploit devs have the option to use OptArray.
Bugs fixed (0)
None
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
