Metasploit Adds 7 New Exploit Modules Targeting FreePBX, Cacti, and SmarterMail

FreePBX Chained Exploit

The update’s most significant addition is a trio of modules for FreePBX, the graphical front‑end for Asterisk. Researchers Noah King and msutovsky‑r7 combine multiple vulnerabilities to elevate an unauthenticated attacker to remote code execution. The chain starts with CVE‑2025‑66039, an authentication bypass that lets the attacker bypass the login protocol. From there two separate RCE paths are available.

The first path exploits CVE‑2025‑61675, a SQL injection that injects malicious commands into the cron_job table, allowing arbitrary task scheduling and code execution. The second path leverages CVE‑2025‑61678, an unrestricted file‑upload flaw in the firmware upload feature, enabling the attacker to upload a webshell and gain immediate control. A third auxiliary module re‑uses the same SQL injection to create a malicious administrator account, demonstrating the chain’s versatility.

Critical RCE Vulnerabilities in Cacti and SmarterMail

Beyond VoIP, the release also covers serious flaws in monitoring and communication platforms. One module targets the popular network‑monitoring tool Cacti, exploiting CVE‑2025‑24367 (affecting versions before 1.2.29) to achieve unauthenticated remote code execution via the graphical template mechanism. Given Cacti’s widespread deployment in infrastructure monitoring, this module is a high‑priority test case for administrators.

Another module adds support for SmarterTools SmarterMail, exploiting CVE‑2025‑52691, an unauthenticated file‑upload vulnerability that relies on a path‑traversal of the guid variable. The exploit adapts to the target OS: on Windows it drops a webshell in the webroot, while on Linux it creates a persistent /etc/cron.d job to achieve execution.

Persistence Tools and Core Fixes

The release also introduces new persistence capabilities. A Burp Suite extension module can install malicious extensions on both professional and community editions, causing automatic execution when the user launches the application. Additionally, Windows and Linux SSH‑key persistence functions have been unified into a single module for streamlined operation.

Several critical bugs have been fixed to improve testing reliability. Issues that caused hash data to be incompatible with the John the Ripper password‑cracking tool and a logic error in the SSH login scanner—where failed session initiations were incorrectly reported as successful logins—have been resolved.