“Metasploit Unveils 7 New Exploits Targeting FreePBX, Cacti, and SmarterMail”

The recent upgrade to the Metasploit Framework this week presents a noteworthy improvement for penetration testers and red team practitioners, unveiling seven new exploit modules aimed at widely utilized enterprise applications.

The centerpiece of this release is a complex trio of modules focused on FreePBX, in addition to vital remote code execution (RCE) features for Cacti and SmarterMail.

This modification highlights the ongoing danger posed by linking authentication bypass vulnerabilities with secondary flaws to attain complete system takeover.

FreePBX Vulnerability Chaining

The most notable addition to the framework consists of three separate modules that focus on FreePBX, an open-source graphical interface managing Asterisk (PBX). Researchers Noah King and msutovsky-r7 have devised a technique to link several vulnerabilities to escalate privileges from an unauthenticated situation to remote code execution.

The attack sequence initiates with CVE-2025-66039, a vulnerability related to authentication bypass that enables unauthorized individuals to bypass login measures. As soon as the authentication barrier is compromised, the framework presents two unique pathways to RCE.

The initial exploit path takes advantage of a SQL injection vulnerability recognized as CVE-2025-61675. By injecting harmful SQL commands, an assailant can manipulate the database to insert a new task into the cron_job table, effectively scheduling arbitrary code execution.

Alternatively, the second module capitalizes on CVE-2025-61678, a flaw allowing unrestricted file uploads in the firmware submission function. This permits the attacker to directly upload a web shell to the server, granting instant control.

A third supportive module within this collection employs the same SQL injection vulnerability to simply create a malicious administrator account, showcasing the adaptability of the exploit chain.

Critical RCE in Cacti and SmarterMail

Expanding beyond the VoIP domain, the update mitigates severe vulnerabilities in monitoring and communication platforms. A new module targets Cacti, a widely used network monitoring tool, specifically exploiting CVE-2025-24367.

This vulnerability impacts versions earlier than 1.2.29 and permits unauthenticated remote code execution through the graph template mechanism. Given Cacti’s extensive application in infrastructure monitoring, this module represents a high-priority test case for network administrators.

At the same time, the framework has introduced support for exploiting CVE-2025-52691 in SmarterTools SmarterMail. This unauthenticated file upload vulnerability depends on manipulation of the path traversal within the guid variable.

The module is notably adaptable regarding the underlying operating system. If the target operates on Windows, the exploit deploys a web shell in the webroot directory. Conversely, if the target is in a Linux setting, it establishes persistence and execution by creating a cron job in /etc/cron.d.

The release also improves post-exploitation functionalities with new persistence modules. A new Burp Suite extension persistence module enables attackers to install a malicious extension on both the Pro and Community editions, causing it to execute each time the user starts the application. Moreover, the team has unified Windows and Linux SSH key persistence into one comprehensive module for enhanced efficiency.

On the maintenance side, multiple critical issues have been resolved. A formatting problem that hindered hash data compatibility with the John the Ripper password cracker has been corrected.

Additionally, a logical flaw in the SSH login scanner, which earlier reported successful logins as failures when sessions could not be initiated, has been rectified to guarantee accurate reporting during engagements.