Persistence, dMSA Abuse & RCE Goodies
This week, we have received a lot of contributions from the community, such as h00die, Chocapikk and countless others, which is greatly appreciated. This week’s modules and improvements in Metasploit Framework range from new modules, such as dMSA Abuse (resulting in escalation of privilege in Windows Active Directory environments), authenticated and unauthenticated RCE modules, as well as many improvements and additions to the persistence modules and techniques.
New module content (13)
BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory
Authors: AngelBoy, Spencer McIntyre, and jheysel-r7
Type: Auxiliary
Pull request: #20472 contributed by jheysel-r7
Path: admin/ldap/bad_successor
Description: This adds an exploit for “BadSuccessor” which is a vulnerability whereby a user with permissions to an Organizational Unit (OU) in Active Directory can create a Delegated Managed Service Account (dMSA) account in such a way that it can lead to the issuance of a Kerberos ticket for an arbitrary user.
Control Web Panel /admin/index.php Unauthenticated RCE
Authors: Egidio Romano and Lukas Johannes Möller
Type: Exploit
Pull request: #20806 contributed by JohannesLks
Path: linux/http/control_web_panel_api_cmd_exec
AttackerKB reference: CVE-2025-67888
Description: This adds a new module for Control Web Panel (CVE-2025-67888). The vulnerability is unauthenticated OS command injection through an exposed API. The modules require Softaculous to be installed.
Prison Management System 1.0 Authenticated RCE via Unrestricted File Upload
Author: Alexandru Ionut Raducu
Type: Exploit
Pull request: #20811 contributed by Xorriath
Path: linux/http/prison_management_rce
AttackerKB reference: CVE-2024-48594
Description: This adds a new module for Prison Management System 1.0 (CVE-2024-48594). The module requires admin credentials, which are subsequently used to exploit unrestricted file upload to upload a webshell.
udev Persistence
Author: Julien Voisin
Type: Exploit
Pull request: #20796 contributed by h00die
Path: linux/persistence/udev
Description: This moves the udev persistence module into the persistence category and adds the persistence mixin.
n8n Workflow Expression Remote Code Execution
Author: Lukas Johannes Möller
Type: Exploit
Pull request: #20810 contributed by JohannesLks
Path: multi/http/n8n_workflow_expression_rce
AttackerKB reference: CVE-2025-68613
Description: This adds a new module for n8n (CVE-2025-68613). The vulnerability is authenticated remote code execution in the workflow expression evaluation engine. The module requires credentials to create a malicious workflow that executes system commands via a JavaScript payload.
Web-Check Screenshot API Command Injection RCE
Author: Valentin Lobstein chocapikk@leakix.net
Type: Exploit
Pull request: #20791 contributed by Chocapikk
Path: multi/http/web_check_screenshot_rce
AttackerKB reference: CVE-2025-32778
Description: Adds an exploit module for CVE-2025-32778, a command injection vulnerability in Web-Check’s screenshot API endpoint which allows unauthenticated remote code execution by injecting shell commands via URL query parameters in the /api/screenshot endpoint.
Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key
Authors: OJ Reeves and h00die
Type: Exploit
Pull request: #20751 contributed by h00die
Path: windows/persistence/accessibility_features_debugger
Description: This updates the Windows sticky keys post persistence module to use the new persistence mixin.
WMI Event Subscription Event Log Persistence
Authors: Nick Tyrer <@NickTyrer> and h00die
Type: Exploit
Pull request: #20706 contributed by h00die
Path: windows/persistence/wmi/wmi_event_subscription_event_log
Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
WMI Event Subscription Interval Persistence
Authors: Nick Tyrer <@NickTyrer> and h00die
Type: Exploit
Pull request: #20706 contributed by h00die
Path: windows/persistence/wmi/wmi_event_subscription_interval
Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
WMI Event Subscription Process Persistence
Authors: Nick Tyrer <@NickTyrer> and h00die
Type: Exploit
Pull request: #20706 contributed by h00die
Path: windows/persistence/wmi/wmi_event_subscription_process
Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
WMI Event Subscription Logon Timer Persistence
Authors: Nick Tyrer <@NickTyrer> and h00die
Type: Exploit
Pull request: #20706 contributed by h00die
Path: windows/persistence/wmi/wmi_event_subscription_uptime
Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
Linux Chmod
Author: bcoles bcoles@gmail.com
Type: Payload (Single)
Pull request: #20845 contributed by bcoles
Path: linux/armle/chmod and linux/aarch64/chmod
Description: Adds Linux ARM 32-bit / 64-bit Little Endian chmod payloads.
Enhancements and features (7)
- #20706 from h00die – Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
- #20751 from h00die – This updates the Windows sticky keys post persistence module to use the new persistence mixin.
- #20785 from Chocapikk – This adds Waku framework support to the existing react2shell module. Waku is a minimal React framework which differs slightly compared to Node.js. The module maintains backward compatibility with existing Next.js targets while adding Waku support through a modular framework configuration system.
- #20786 from zeroSteiner – This updates the module code to merge the target Arch and Platform entries into the module’s top level data. Prior to this change module developers had to define Arch and Platform entries twice, once at the module level and again per individual target. This updates over 500 modules and removes that duplication.
- #20796 from h00die – This moves the udev persistence into the persistence category and adds the persistence mixin.
- #20853 from zeroSteiner – Bumps metapsloit-payloads to 2.0.239.
- #20855 from h00die – Adds additional ATT&CK references to persistence modules.
Bugs fixed (2)
- #20738 from Shubham0699 – This fixes an issue in the bailiwicked DNS modules that was causing the module to fail with a stack trace due to a programming error.
- #20847 from dwelch-r7 – This updates the auxiliary/scanner/ssh/ssh_login module to remove stale documentation, remove unnecessary characters that were printed in the output and update the correct documentation with the new information about key usage.
Documentation added (1)
- #20665 from basicallyabidoof – Adds documentation for the ipv6_neighbor_router_advertisement module.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
