GeoServer WMS GetMap XXE Arbitrary File Read

This module exploits an XML External Entity XXE vulnerability in GeoServer via the WMS GetMap operation. The vulnerability allows reading arbitrary files from the server's file system by injecting an XXE entity in the SLD Styled Layer Descriptor. Affected versions: - GeoServer = 2.26.0, use...

Assistive Technologies Persistence

This module achieves persistence by registering a custom Assistive Technology AT in the Windows registry. Then it configures the system to launch the AT executable during user logon or desktop switch such as with an admin prived program. Requires Windows 8 or higher and administrative privileges...

HPE OneView unauthenticated RCE

This module exploits an unauthenticated RCE vulnerability, CVE-2025-37164, against Hewlett Packard Enterprise HPE OneView. All versions below 11.00 are vulnerable so long as the vendor supplied hotfix has not been applied, however some VM product versions do not enable the vulnerable "ID Pools"...

WordPress ACF Extended Unauthenticated RCE via prepare_form()

This module exploits an unauthenticated Remote Code Execution vulnerability in the Advanced Custom Fields: Extended ACF Extended WordPress plugin versions 0.9.0.5 through 0.9.1.1. The vulnerability exists in the prepareform function of the acfemoduleformfrontrender class, which accepts...

Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE

This module exploits a Server-Side Template Injection SSTI vulnerability CVE-2025-66294 in Grav CMS that allows bypassing the Twig sandbox to achieve remote code execution. The cleanDangerousTwig method uses weak regex that fails to sanitize nested Twig calls within the evaluatetwig function. To...

N-able N-Central Authentication Bypass and XXE Scanner

This module scans for vulnerable N-able N-Central instances affected by CVE-2025-9316 Unauthenticated Session Bypass and CVE-2025-11700 XXE. The module attempts to exploit CVE-2025-9316 by sending a sessionHello SOAP request to the ServerMMS endpoint with various appliance IDs to obtain an...

Linux Reboot

A very small shellcode for rebooting the system using the reboot syscall. This payload is sometimes helpful for testing purposes. Requires CAPSYSBOOT privileges. Module Options msf use payload/linux/loongarch64/reboot msf payloadreboot show actions ...actions... msf payloadreboot set ACTION msf...

Simple

Simple NOP generator Module Options msf use nop/loongarch64/simple msf nopsimple show actions ...actions... msf nopsimple set ACTION msf nopsimple show options ...show and set options... msf nopsimple run This module requires Metasploit: https://metasploit.com/download Current source:...

WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE

This module exploits an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin versions 24.12.92 to 51.1.14. The vulnerability exists in the handleregisterajax function which allows unauthenticated attackers to specify the userrole parameter during...

Magento SessionReaper

This module exploits CVE-2025-54236 SessionReaper, a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file...

TFTP Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an PPC payload from an TFTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/tftp/ppc/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show...

HTTPS Fetch, Linux Command Shell, Find Port Inline

Fetch and execute an MIPSLE payload from an HTTPS server. Spawn a shell on an established connection Module Options msf use payload/cmd/linux/https/ppc/shellfindport msf payloadshellfindport show actions ...actions... msf payloadshellfindport set ACTION msf payloadshellfindport show options ...sh...

HTTP Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an PPC payload from an HTTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/http/ppc/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show...

TFTP Fetch, Linux Command Shell, Bind TCP Inline

Fetch and execute an PPC payload from an TFTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/tftp/ppc/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options ...show...

TFTP Fetch, Linux Command Shell, Find Port Inline

Fetch and execute an PPC payload from an TFTP server. Spawn a shell on an established connection Module Options msf use payload/cmd/linux/tftp/ppc/shellfindport msf payloadshellfindport show actions ...actions... msf payloadshellfindport set ACTION msf payloadshellfindport show options ...show an...

HTTPS Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an MIPSLE payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/https/ppc/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp sh...

HTTP Fetch, Linux Command Shell, Bind TCP Inline

Fetch and execute an PPC payload from an HTTP server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/http/ppc/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options ...show...

HTTPS Fetch, Linux Command Shell, Bind TCP Inline

Fetch and execute an MIPSLE payload from an HTTPS server. Listen for a connection and spawn a command shell Module Options msf use payload/cmd/linux/https/ppc/shellbindtcp msf payloadshellbindtcp show actions ...actions... msf payloadshellbindtcp set ACTION msf payloadshellbindtcp show options...

HTTP Fetch, Linux Command Shell, Find Port Inline

Fetch and execute an PPC payload from an HTTP server. Spawn a shell on an established connection Module Options msf use payload/cmd/linux/http/ppc/shellfindport msf payloadshellfindport show actions ...actions... msf payloadshellfindport set ACTION msf payloadshellfindport show options ...show an...

Unauthenticated RCE in React Server Components (React2Shell)

A critical unauthenticated Remote Code Execution RCE vulnerability exists in React Server Components RSC Flight protocol. The vulnerability allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto",...

WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE

This module exploits an unauthenticated vulnerability in the WordPress AI Engine plugin versions use exploit/multi/http/wpaienginemcprce msf exploitwpaienginemcprce show targets ...targets... msf exploitwpaienginemcprce set TARGET msf exploitwpaienginemcprce show options ...show and set options...

Linux Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell. Module Options msf use payload/linux/riscv64le/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show options ...show and set options... msf...

Linux Command Shell, Reverse TCP Inline

Connect back to attacker and spawn a command shell. Module Options msf use payload/linux/riscv32le/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show options ...show and set options... msf...

Twonky Server Log Leak Authentication Bypass

This module leverages an authentication bypass in Twonky Server 8.5.2. By exploiting an authorization flaw to access a privileged web API endpoint and leak application logs, encrypted administrator credentials are leaked CVE-2025-13315. The exploit will then decrypt these credentials using...

Monsta FTP downloadFile Remote Code Execution

This module exploits a pre-authenticated remote code execution vulnerability in Monsta FTP versions use exploit/multi/http/monstaftpdownloadfilerce msf exploitmonstaftpdownloadfilerce show targets ...targets... msf exploitmonstaftpdownloadfilerce set TARGET msf exploitmonstaftpdownloadfilerce sho...

IGEL OS Dump File

Dump a file with escalated privileges for IGEL OS Workspace Edition sessions, by elevating rights with setupcmd SUID and outputting with date. Module Options msf use post/linux/gather/igeldumpfile msf postigeldumpfile show actions ...actions... msf postigeldumpfile set ACTION msf postigeldumpfile...

IGEL OS Privilege Escalation (via systemd service)

Escalate privileges for IGEL OS Workspace Edition sessions, by modifying network-manager.service using setupcmd SUID and network, then restarting the service. Module Options msf use exploit/linux/local/igelnetworkprivesc msf exploitigelnetworkprivesc show targets ...targets... msf...

IGEL OS Persistent Payload

Gain persistence for specified payload on IGEL OS Workspace Edition, by writing a payload to disk or base64-encoding and executing from registry. Module Options msf use exploit/linux/persistence/igelpersistence msf exploitigelpersistence show targets ...targets... msf exploitigelpersistence set...

Fortinet FortiWeb unauthenticated RCE

This exploit module exploits an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface to create a new local administrator user account. From there a command injection vulnerability is leveraged to achieve RCE with root privileges. The auth bypass...

Linux Chmod

Runs chmod on the specified file with specified mode. Module Options msf use payload/linux/riscv32le/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... msf payloadchmod run This module requires Metasploit:...

Linux Chmod

Runs chmod on the specified file with specified mode. Module Options msf use payload/linux/riscv64le/chmod msf payloadchmod show actions ...actions... msf payloadchmod set ACTION msf payloadchmod show options ...show and set options... msf payloadchmod run This module requires Metasploit:...

Microsoft Windows SMB to MSSQL Relay

This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an MSSQL server on the configured RHOSTS hosts. If the relay succeeds, an MSSQL session to the target will be created. This can be used by any modules that support MSSQL...

Notepad++ Plugin Persistence

This module create persistence by adding a malicious plugin to Notepad++, as it blindly loads and executes DLL from its plugin directory on startup, meaning that the payload will be executed every time Notepad++ is launched. Module Options msf use...

Flowise Custom MCP Remote Code Execution

This module exploits a remote code execution vulnerability in Flowise versions = 2.2.7-patch.1 and use exploit/multi/http/flowisecustommcprce msf exploitflowisecustommcprce show targets ...targets... msf exploitflowisecustommcprce set TARGET msf exploitflowisecustommcprce show options ...show and...

Flowise JS Injection RCE

This module exploits a remote code execution vulnerability in Flowise versions = 2.2.7-patch.1 and = 3.0.1, authentication via FLOWISEEMAIL and FLOWISEPASSWORD is required due to JWT token verification. Module Options msf use exploit/multi/http/flowisejsrce msf exploitflowisejsrce show targets...

Windows WSL via Registry Persistence

This module will install a payload in WSL and execute it at user logon or system startup via the registry value in "CurrentVersion\Run" or "RunOnce" depending on privilege and selected method. The payload will be installed completely in registry. Staged payloads, like fetch payloads in linux X64...

Windows Persistent Service Installer

This Module will generate and upload an executable to a remote host. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required. Module Options msf use exploit/windows/persistence/service msf exploitservice show targets...

Fortinet FortiWeb create new local admin

This auxiliary module exploits an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface to create a new local administrator user account. This vulnerability affects the following versions: FortiWeb 8.0.0 through 8.0.1 Patched in 8.0.2 and above...

Windows Server Update Service Deserialization Remote Code Execution

This module exploits deserialization vulnerability in legacy serialization mechanism in Windows Server Update Services WSUS. The vulnerability allows unauthenticated attacker to create specially crafted event, which triggers unsafe deserialization upon server synchronization. The module does not...

LINQPad Deserialization

This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts. Module...

Centreon authenticated command injection leading to RCE via broker engine "reload" parameter

Centreon is a platform designed to monitor your cloud and on-premises infrastructure. This module exploits an command injection vulnerability using the broker engine reload setting on the poller configuration page of the Centreon web application. Injecting a malcious payload at the broker engine...

Windows Persistent Task Scheduler

This module establishes persistence by creating a scheduled task to run a payload. Module Options msf use exploit/windows/persistence/taskscheduler msf exploittaskscheduler show targets ...targets... msf exploittaskscheduler set TARGET msf exploittaskscheduler show options ...show and set...

Service Upstart Persistence

This module will create a service on the box, and mark it for auto-restart. We need enough access to write service files and potentially restart services Targets: CentOS 6 Fedora = 9, = 9.10, use exploit/linux/persistence/initupstart msf exploitinitupstart show targets ...targets... msf...

Rootkit Privilege Escalation Signal Hunter

This module searches for rootkits which use signals to elevate process privileges to UID 0 root. Some rootkits install signal handlers which listen for specific signals to elevate process privileges. This module identifies these rootkits by sending signals and observing UID switching to root. Thi...

NCR Command Center Agent Remote Code Execution

CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter within an XML document sent to port 8089 that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. The...

Windows Persistent Startup Folder

This module establishes persistence by creating a payload in the user or system startup folder. Works on Vista and newer systems. Module Options msf use exploit/windows/persistence/startupfolder msf exploitstartupfolder show targets ...targets... msf exploitstartupfolder set TARGET msf...

Windows Registry Only Persistence

This module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in "CurrentVersion\Run" or "RunOnce" depending on privilege and selected method. The payload will be installed completely in registry. Module Options...

Persistence Exploit Suggester

This module suggests persistence modules that can be used. The modules are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It's important to note that not all modules will be checked. Exploits are chosen based on...

ReDoc API Docs UI Exposed

Detects publicly exposed ReDoc API documentation pages. The module performs safe, read-only GET requests and reports likely ReDoc instances based on HTML markers. Module Options msf use auxiliary/scanner/http/redocexposed msf auxiliaryredocexposed show actions ...actions... msf...

Remote Code Execution Vulnerability in Vvveb

Vvveb CMS is vulnerable to code injection via the Code Editor functionality. Unsanitized editing functionality allows attacker-controlled changes to existing files on the web-accessible filesystem, allowing remote authenticated attackers with access to the Code Editor to achieve code execution wh...