WordPress Depicter Plugin SQL Injection (CVE-2025-2011)

The Slider & Popup Builder by Depicter plugin for WordPress use auxiliary/gather/wpdepictersqlicve20252011 msf auxiliarywpdepictersqlicve20252011 show actions ...actions... msf auxiliarywpdepictersqlicve20252011 set ACTION msf auxiliarywpdepictersqlicve20252011 show options ...show and set...

Invision Community 5.0.6 customCss RCE

Invision Community up to and including version 5.0.6 contains a remote code execution vulnerability in the theme editor's customCss endpoint. By crafting a specially formatted content parameter with a expression="..." construct, arbitrary PHP can be evaluated. This module leverages that flaw to...

Clinic's Patient Management System 1.0 - Unauthenticated RCE

This module exploits an SQL injection in login portal, which allows to log in as admin. Next, it allows the attacker to upload malicious files through user modification to achieve RCE. Module Options msf use exploit/multi/http/clinicpmssqlitorce msf exploitclinicpmssqlitorce show targets...

Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)

Remote Code Execution in Samsung MagicINFO 9 Server use exploit/windows/http/magicinfotraversal msf exploitmagicinfotraversal show targets ...targets... msf exploitmagicinfotraversal set TARGET msf exploitmagicinfotraversal show options ...show and set options... msf exploitmagicinfotraversal...

Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)

This module will try to find Service Principal Names that are associated with normal user accounts. Since normal accounts' passwords tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for a...

Nextcloud Workflows Remote Code Execution

This module adds workflows as an authenticated user which can only be created by administrators by design. If the app "Nextcloud Workflow Script" is installed it is possible to generate a workflow that executes commands. Module Options msf use exploit/unix/webapp/nextcloudworkflowsrce msf...

Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow

This module exploits a Stack-based Buffer Overflow vulnerability in Ivanti Connect Secure to achieve remote code execution CVE-2025-22457. Versions 22.7R2.5 and earlier are vulnerable. Note that Ivanti Pulse Connect Secure, Ivanti Policy Secure and ZTA gateways are also vulnerable but this module...

POWERCOM UPSMON PRO Path Traversal (CVE-2022-38120) and Credential Harvester (CVE-2022-38121)

This module exploits a path traversal vulnerability in UPSMON PRO use auxiliary/gather/upsmontraversal msf auxiliaryupsmontraversal show actions ...actions... msf auxiliaryupsmontraversal set ACTION msf auxiliaryupsmontraversal show options ...show and set options... msf auxiliaryupsmontraversal...

WP User Registration and Membership Unauthenticated Privilege Escalation (CVE-2025-2563)

Exploits CVE-2025-2563 in the WordPress User Registration & Membership plugin. 1 Registers a free-membership user via AJAX. 2 Elevates that user to administrator via the membership AJAX action. 3 Logs in, uploads & executes a PHP payload. Module Options msf use...

Car Rental System 1.0 File Upload RCE (Authenticated)

This module exploits an authenticated remote code execution vulnerability in the Online Car Rental System 1.0 via the changeimage1.php endpoint. An authenticated attacker can upload malicious PHP scripts without proper validation, enabling arbitrary code execution on the server. Module Options ms...

LINQPad Deserialization Exploit

This module exploits a bug in LINQPad up to version 5.52.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts. Module...

WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)

Exploits two distinct authorization bypasses in SureTriggers/OttoKit plugin: - CVE-2025-3102: admin creation via St-Authorization Bearer empty - CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header Module Options msf use...

SMB to HTTP relay version of Get NAA Creds

This module creates an SMB server and then relays the credentials passed to it to SCCM's HTTP server aka Management Point to gain an authenticated connection. Once authenticated it then attempts to retrieve the Network Access Accounts, if configured, from the SCCM server. This requires a computer...

Sante PACS Server Path Traversal (CVE-2025-2264)

This module exploits a path traversal vulnerability CVE-2025-2264 in Sante PACS Server use auxiliary/gather/pacsservertraversal msf auxiliarypacsservertraversal show actions ...actions... msf auxiliarypacsservertraversal set ACTION msf auxiliarypacsservertraversal show options ...show and set...

Erlang OTP Pre-Auth RCE Scanner and Exploit

This module detect and exploits CVE-2025-32433, a pre-authentication vulnerability in Erlang-based SSH servers that allows remote command execution. By sending crafted SSH packets, it executes a payload to establish a reverse shell on the target system. The exploit leverages a flaw in the SSH...

OPNSense Login Scanner

This module performs login attempts against a Deciso B.V OPNSense router webpage to bruteforce possible credentials. Module Options msf use auxiliary/scanner/http/opnsenselogin msf auxiliaryopnsenselogin show actions ...actions... msf auxiliaryopnsenselogin set ACTION msf auxiliaryopnsenselogin...

WonderCMS Remote Code Execution

This module exploits CVE-2023-41425, an authenticated file upload vulnerability affecting WonderCMS between 3.2.0 and 3.4.2. Module Options msf use exploit/multi/http/wondercmsrce msf exploitwondercmsrce show targets ...targets... msf exploitwondercmsrce set TARGET msf exploitwondercmsrce show...

Craft CMS Image Transform Preauth RCE (CVE-2025-32432)

This module exploits an unauthenticated remote code execution vulnerability in Craft CMS versions 3.x, 4.x, and 5.x use exploit/linux/http/craftcmspreauthrcecve202532432 msf exploitcraftcmspreauthrcecve202532432 show targets ...targets... msf exploitcraftcmspreauthrcecve202532432 set TARGET msf...

Microsoft Word UNC Path Injector

This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not wor...

LDAP Password Disclosure

This module will gather passwords and password hashes from a target LDAP server via multiple techniques including Windows LAPS. For best results, run with SSL because some attributes are only readable over encrypted connections. Module Options msf use auxiliary/gather/ldappasswords msf...

BentoML's runner server RCE

There was an insecure deserialization in BentoML's runner server prior to version 1.4.8. By setting specific headers and parameters in the POST request, it is possible to execute unauthorized arbitrary code in the context of the user running the server, which will grant initial access and...

System V Derived /bin/login Extraneous Arguments Buffer Overflow

This exploit connects to a system's modem over dialup and exploits a buffer overflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. Module Options msf use exploit/solaris/dialup/manyargs msf exploitmanyargs show targets...

BentoML RCE

A Remote Code Execution RCE vulnerability caused by insecure deserialization has been identified in v1.4.2 of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. Module Options msf use exploit/linux/http/bentomlrcecve202527520 msf exploitbentomlrcecve202527520 sho...

Langflow AI RCE

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. Module Options msf use exploit/multi/http/langflowunauthrcecve20253248 msf...

pgAdmin Query Tool authenticated RCE (CVE-2025-2945)

This module exploits a vulnerability in pgAdmin where an authenticated user can establish a connection to the query tool and send a specific payload in the querycommited POST parameter. This payload is directly executed via a Python eval statement, resulting in remote code execution in versions...

Oracle Access Manager unauthenticated Remote Code Execution

This module exploits an unauthenticated deserialization of untrusted data vulnerability in the OpenSSO Agent component of the Oracle Access Manager OAM product. The affected product versions are 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. Module Options msf use...

Pandora FMS authenticated command injection leading to RCE via chromium_path or phantomjs_bin

Pandora FMS is a monitoring solution that provides full observability for your organization's technology. This module exploits an command injection vulnerability in the chromium-path or phantomjs-bin directory setting at the application settings page of Pandora FMS. You need have admin access at...

Appsmith RCE

An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. Module Options msf use exploit/linux/http/appsmithrcecve202455964 msf exploitappsmithrcecve202455964 show targets ...targets... msf...

CrushFTP AWS4-HMAC Authentication Bypass

This module leverages an authentication bypass in CrushFTP 11 use auxiliary/gather/crushftpauthbypasscve20252825 msf auxiliarycrushftpauthbypasscve20252825 show actions ...actions... msf auxiliarycrushftpauthbypasscve20252825 set ACTION msf auxiliarycrushftpauthbypasscve20252825 show options...

Tomcat Partial PUT Java Deserialization

This module exploits a Java deserialization vulnerability in Apache Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to place an attacker controlled deserialization payload in the /webapps/ROOT/ directory. For the exploit to succeed, writes must be...

Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit

This module exploits a .NET deserialization vulnerability in Sitecore Experience Manager XM and Experience Platform XP 10.4 by injecting a malicious Base64-encoded BinaryFormatter payload into an HTTP header. Module Options msf use exploit/windows/http/sitecorexpcve202527218 msf...

CmsMadeSimple Authenticated File Manager RCE

CMS Made Simple use exploit/multi/http/cmsmsfilemanagerauthrce msf exploitcmsmsfilemanagerauthrce show targets ...targets... msf exploitcmsmsfilemanagerauthrce set TARGET msf exploitcmsmsfilemanagerauthrce show options ...show and set options... msf exploitcmsmsfilemanagerauthrce exploit This...

pfSense Login Scanner

This module performs login attempts against a Netgate pfSense router webpage to bruteforce possible credentials. Module Options msf use auxiliary/scanner/http/pfsenselogin msf auxiliarypfsenselogin show actions ...actions... msf auxiliarypfsenselogin set ACTION msf auxiliarypfsenselogin show...

SonicWall HTTP Login Scanner

This module adds HTTP Login scanning for SonicWall NSv. It allows scanning both admin and user accounts. Module Options msf use auxiliary/scanner/sonicwall/sonicwalllogin msf auxiliarysonicwalllogin show actions ...actions... msf auxiliarysonicwalllogin set ACTION msf auxiliarysonicwalllogin show...

Ivanti Connect Secure HTTP Scanner

This module will perform authentication scanning against Ivanti Connect Secure. Module Options msf use auxiliary/scanner/ivanti/ivantilogin msf auxiliaryivantilogin show actions ...actions... msf auxiliaryivantilogin set ACTION msf auxiliaryivantilogin show options ...show and set options... msf...

GLPI Inventory Plugin Unauthenticated Blind Boolean SQLi

GLPI use auxiliary/gather/glpiinventorypluginunauthsqli msf auxiliaryglpiinventorypluginunauthsqli show actions ...actions... msf auxiliaryglpiinventorypluginunauthsqli set ACTION msf auxiliaryglpiinventorypluginunauthsqli show options ...show and set options... msf...

Eramba (up to 3.19.1) Authenticated Remote Code Execution Module

This module exploits a remote code execution vulnerability in Eramba. An authenticated user can execute arbitrary commands on the server by exploiting the path parameter in the download-test-pdf endpoint. Eramba debug mode has to be enabled. Module Options msf use exploit/linux/http/erambarce msf...

Windows Cloud File Mini Filer Driver Heap Overflow

This module exploits the Windows Cloud Files Mini FIlter Driver cldflt.sys on Windows workstation versions 101809 through 1123H2 and Windows server versions 2022 to 2223H2. Module Options msf use exploit/windows/local/cve202430085cloudfiles msf exploitcve202430085cloudfiles show targets...

Microsoft Windows SMB to LDAP Relay

This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured RHOSTS hosts. It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check MIC. As a result, this will only work with NTLMv...

InvoiceShelf unauthenticated PHP Deserialization Vulnerability

InvoiceShelf is an open-source web & mobile app that helps you track expenses, payments, create professional invoices & estimates and is based on the PHP framework Laravel. InvoiceShelf has a Remote Code Execution vulnerability that allows remote unauthenticated attackers to conduct PHP...

SonicWall HTTP Login Scanner

This module adds HTTP Login scanning for SonicWall NSv. It allows scanning both admin and user accounts. Module Options msf use auxiliary/scanner/sonicwall/loginscanner msf auxiliaryloginscanner show actions ...actions... msf auxiliaryloginscanner set ACTION msf auxiliaryloginscanner show options...

Get NAA Credentials

This module attempts to retrieve the Network Access Accounts, if configured, from the SCCM server. This requires a computer account, which can be added using the samraccount module. Module Options msf use auxiliary/admin/sccm/getnaacredentials msf auxiliarygetnaacredentials show actions...

D-Tale RCE

This exploit effectively serves as a bypass for CVE-2024-3408. An attacker can override global state to enable custom filters, which then facilitates remote code execution. Specifically, this vulnerability leverages the ability to manipulate global application settings to activate the...

Invoice Ninja unauthenticated PHP Deserialization Vulnerability

Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel. A Remote Code Execution vulnerability in Invoice Ninja = 5.8.22 which accepts a Laravel ciphered value which is unsafe unserialized, if an attacker has access to the APPKEY. As it allows remote co...

NetAlertX File Read Vulnerability

This module exploits improper authentication in logs.php endpoint. An unathenticated attacker can request log file and read any file due path traversal vulnerability. Module Options msf use auxiliary/scanner/http/netalertxfileread msf auxiliarynetalertxfileread show actions ...actions... msf...

SimpleHelp Path Traversal Vulnerability CVE-2024-57727

There exists a path traversal vulnerability in the /toolbox-resource endpoint that enables unauthenticated remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests Module Options msf use auxiliary/scanner/http/simplehelptoolboxpathtraversal msf...

mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)

Credential Harvester in MyPRO Manager use auxiliary/admin/scada/mypromgrcreds msf auxiliarymypromgrcreds show actions ...actions... msf auxiliarymypromgrcreds set ACTION msf auxiliarymypromgrcreds show options ...show and set options... msf auxiliarymypromgrcreds run class MetasploitModule 'mySCA...

RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.

RaspberryMatic / OCCU contains a unauthenticated remote code execution RCE vulnerability, caused by multiple issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached through the URL /pages/jpages/system/DeviceFirmware/addFirmware. This allo...

HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager

Fetch and execute an AARCH64 payload from an HTTPS server. dup2 socket in x12, then execve. Connect back to the attacker Module Options msf use payload/cmd/linux/https/aarch64/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp...

HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager

Fetch and execute an ARMLE payload from an HTTP server. dup2 socket in r12, then execve. Connect back to the attacker Module Options msf use payload/cmd/linux/http/armle/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...