6846 matches found
Multiple Brother devices authentication bypass via default administrator password generation
By leaking a target devices serial number, a remote attacker can generate the target devices default administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests. Module Options msf use...
SugarCRM unauthenticated Remote Code Execution (RCE)
This module exploits CVE-2023-22952, a Remote Code Execution RCE vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. The vulnerability occurs due to a lack of appropriat...
Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)
This module exploits a template injection vulnerability in the Sawtooth Software Lighthouse Studio's ciwweb.pl web application. The application fails to properly sanitize user input within survey templates, allowing unauthenticated attackers to inject and execute arbitrary Perl commands on the...
Exim 4.87 - 4.91 Local Privilege Escalation
This module exploits a flaw in Exim versions 4.87 to 4.91 inclusive. Improper validation of recipient address in delivermessage function in /src/deliver.c may lead to command execution with root privileges CVE-2019-10149. This module requires Metasploit: https://metasploit.com/download Current...
Judge0 sandbox escape
Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. Module Options msf use exploit/linux/http/judge0sandboxescapecve202428189 msf...
Docker cgroups Container Escape
This exploit module takes advantage of a Docker image which has either the privileged flag, or SYSADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel's...
WordPress Really Simple SSL Plugin Authentication Bypass to RCE
This module exploits an authentication bypass vulnerability in the WordPress Really Simple SSL plugin versions 9.0.0 to 9.1.1.1. The vulnerability allows bypassing two-factor authentication 2FA and uploading a plugin to achieve remote code execution RCE. Note: For the system to be vulnerable, 2FA...
pfSense Login Scanner
This module performs login attempts against a Netgate pfSense router webpage to bruteforce possible credentials. Module Options msf use auxiliary/scanner/http/pfsenselogin msf auxiliarypfsenselogin show actions ...actions... msf auxiliarypfsenselogin set ACTION msf auxiliarypfsenselogin show...
Active Directory Certificate Services (ADCS) privilege escalation (Certifried)
This module exploits a privilege escalation vulnerability in Active Directory Certificate Services ADCS to generate a valid certificate impersonating the Domain Controller DC computer account. This certificate is then used to authenticate to the target as the DC account using PKINIT...
PHP CGI Argument Injection Remote Code Execution
This module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations on a Windows target. A vulnerable configuration is locale dependant such as Chinese or Japanese, such that the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen 0xAD in...
Samba "username map script" Command Execution
This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed...
RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.
RaspberryMatic / OCCU contains a unauthenticated remote code execution RCE vulnerability, caused by multiple issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached through the URL /pages/jpages/system/DeviceFirmware/addFirmware. This allo...
Apache Superset Signed Cookie RCE
Apache Superset versions use exploit/linux/http/apachesupersetcookiesigrce msf exploitapachesupersetcookiesigrce show targets ...targets... msf exploitapachesupersetcookiesigrce set TARGET msf exploitapachesupersetcookiesigrce show options ...show and set options... msf...
Commvault Command-Line Argument Injection to Traversal Remote Code Execution
This module exploits an unauthenticated remote code execution exploit chain for Commvault, tracked as CVE-2025-57790 and CVE-2025-57791. A command-line injection permits unauthenticated access to the 'localadmin' account, which then facilitates code execution via expression language injection...
Ubuntu needrestart Privilege Escalation
Local attackers can execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. Verified against Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1 Attempted exploitation against Debian 12, expliotation failed...
Fortinet FortiWeb unauthenticated RCE
This exploit module exploits an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface to create a new local administrator user account. From there a command injection vulnerability is leveraged to achieve RCE with root privileges. The auth bypass...
Local Privilege Escalation via CVE-2023-0386
This exploit targets the Linux kernel bug in OverlayFS. A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another...
GitLab GitHub Repo Import Deserialization RCE
An authenticated user can import a repository from GitHub into GitLab. If a user attempts to import a repo from an attacker-controlled server, the server will reply with a Redis serialization protocol object in the nested defaultbranch. GitLab will cache this object and then deserialize it when...
Craft CMS unauthenticated Remote Code Execution (RCE)
This module exploits Remote Code Execution vulnerability CVE-2023-41892 in Craft CMS which is a popular content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are affected by this vulnerability allowing attackers to execute arbitrary code remotely, potentially compromising the...
Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
Wing FTP Server allows arbitrary Lua code injection via a NULL-byte %00 truncation bug CVE-2025-47812. Supplying %00 as the username makes the C++ authentication routine validate only the prefix, while the full string is written unfiltered into the session file and later executed with root/SYSTEM...
Gather Dbeaver Passwords
This module will determine if Dbeaver is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible. Module Options msf use post/multi/gather/dbeaver msf postdbeaver...
HTTP Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager
Fetch and execute an x64 payload from an HTTP server. Custom shellcode stage. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/http/x64/custom/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...
WSO2 Arbitrary File Upload to RCE
This module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5....
Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)
This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft SharePoint Server. The vulnerability CVE-2025-53770 was disclosed as being a...
Netlogon Weak Cryptographic Authentication
A vulnerability exists within the Netlogon authentication process where the security properties granted by AES are lost due to an implementation flaw related to the use of a static initialization vector IV. An attacker can leverage this flaw to target an Active Directory Domain Controller and mak...
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on...
VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)
VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the root user in the case of the Linux virtua...
WordPress WP Time Capsule Arbitrary File Upload to RCE
This module exploits an arbitrary file upload vulnerability in the WordPress WP Time Capsule plugin versions use exploit/multi/http/wptimecapsulefileuploadrce msf exploitwptimecapsulefileuploadrce show targets ...targets... msf exploitwptimecapsulefileuploadrce set TARGET msf...
Adobe ColdFusion Unauthenticated Remote Code Execution
This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to gain remote code execution. Module Options msf use...
Delinea Thycotic Secret Server Dump
This module exports and decrypts Secret Server credentials to a CSV file; it is intended as a post-exploitation module for Windows hosts with Delinea/Thycotic Secret Server installed. Master Encryption Key MEK and associated IV values are decrypted from encryption.config using a static key baked...
Magento SessionReaper
This module exploits CVE-2025-54236 SessionReaper, a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file...
PivotX Remote Code Execution
This module gains remote code execution in PivotX management system. The PivotX allows admin user to directly edit files on the webserver, including PHP files. The module exploits this by writing a malicious payload into index.php file, gaining remote code execution. Module Options msf use...
GiveWP Unauthenticated Donation Process Exploit
The GiveWP Donation Plugin and Fundraising Platform for WordPress, in all versions up to and including 3.16.1, is vulnerable to a PHP Object Injection POI attack that allows unauthenticated arbitrary code execution. Although a patch was introduced in version 3.14.2, it was incorrect and can be...
F5 BIG-IP TMUI AJP Smuggling RCE
This module exploits a flaw in F5's BIG-IP Traffic Management User Interface TMUI that enables an external, unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to execute a command payload. Both the exploit and check methods...
Splunk Authenticated XSLT Upload RCE
This Metasploit module exploits a Remote Code Execution RCE vulnerability in Splunk Enterprise. The affected versions include 9.0.x before 9.0.7 and 9.1.x before 9.1.2. The exploitation process leverages a weakness in the XSLT transformation functionality of Splunk. Successful exploitation requir...
Sudo Chroot 1.9.17 Privilege Escalation
Sudo before version 1.19.17p1 allows user to use chroot option, when executing command. The option is intended to run a command with user-selected root directory if sudoers file allow it. Change in version 1.9.14 allows resolving paths via chroot using user-specified root directory when sudoers i...
Pentaho Business Server Auth Bypass and Server Side Template Injection RCE
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is vulnerable to an authentication bypass CVE-2022-43939 and a Server Side Template Injection SSTI vulnerability CVE-2022-43769 that can be chained together to achieve unauthenticated code...
Aerospike Database UDF Lua Code Execution
Aerospike Database versions before 5.1.0.3 permitted user-defined functions UDF to call the os.execute Lua function. This module creates a UDF utilising this function to execute arbitrary operating system commands with the privileges of the user running the Aerospike service. This module does not...
WSO2 API Manager Documentation File Upload Remote Code Execution
A vulnerability in the 'Add API Documentation' feature allows malicious users with specific permissions /permission/admin/login and /permission/admin/manage/api/publish to upload arbitrary files to a user-controlled server location. This flaw could be exploited to execute remote code, enabling an...
Unauthenticated RCE in React Server Components (React2Shell)
A critical unauthenticated Remote Code Execution RCE vulnerability exists in React Server Components RSC Flight protocol. The vulnerability allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto",...
HTTP Fetch
Fetch and execute an x64 payload from an HTTP server. Module Options msf use payload/cmd/windows/http/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec run...
PHP Exec, PHP Execute Command
Execute a PHP payload as an OS command from a Posix-compatible shell. Execute a single system command Module Options msf use payload/cmd/unix/php/exec msf payloadexec show actions ...actions... msf payloadexec set ACTION msf payloadexec show options ...show and set options... msf payloadexec run...
ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection
ManageEngine ADManager Plus prior to build 7181 is vulnerable to an authenticated command injection due to insufficient validation of user input when performing the ChangePasswordAction function before passing it into a string that is later used as an OS command to execute. By making a POST reque...
Apache Couchdb Erlang RCE
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. Module Options msf use exploit/multi/http/apachecouchdberlangrce msf exploitapachecouchdberlangrce show targets ...targets... msf...
ConnectWise ScreenConnect Unauthenticated Remote Code Execution
This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve RCE by uploading a malicious extension module. All versions of...
runc (docker) File Descriptor Leak Privilege Escalation
All versions of runc use exploit/linux/local/runccwdprivesc msf exploitrunccwdprivesc show targets ...targets... msf exploitrunccwdprivesc set TARGET msf exploitrunccwdprivesc show options ...show and set options... msf exploitrunccwdprivesc exploit This module requires Metasploit:...
CrushFTP Unauthenticated RCE
This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability CVE-2023-43177 to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1. It is possible to set some user's session properties by...
APISIX Admin API default access token RCE
Apache APISIX has a default, built-in API token edd1c9f034335f136f87ad84b625c8f1 that can be used to access all of the admin API, which leads to remote LUA code execution through the script parameter added in the 2.x version. This module also leverages another vulnerability to bypass the IP...
Hikvision IP Camera Unauthenticated Command Injection
This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras CVE-2021-36260. The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user. This module...
Service SystemD Persistence
This module will create a service on the box, and mark it for auto-restart. We need enough access to write service files and potentially restart services Targets: CentOS 7 Debian = 7, = 15 Ubuntu = 15.04 Verified on Ubuntu 18.04.3 Module Options msf use exploit/linux/persistence/initsystemd msf...