{"id":354,"date":"2025-04-19T19:00:20","date_gmt":"2025-04-19T19:00:20","guid":{"rendered":"http:\/\/localhost\/?p=354"},"modified":"2025-04-19T19:00:20","modified_gmt":"2025-04-19T19:00:20","slug":"metasploit-wrap-up-04182025","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=354","title":{"rendered":"Metasploit Wrap-Up 04\/18\/2025"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nMetasploit Wrap-Up 04\/18\/2025<\/td>\n<\/tr>\n
Type<\/th>\nrapid7blog<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-18T14:58:06<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-18T15:51:50<\/td>\n<\/tr>\n
CVSS Score<\/th>\n9.8 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nUNCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2025-27520, CVE-2025-3248<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\ninfo<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ## Smaller Fetch Payloads<\/p>\n

![Metasploit Wrap-Up 04\/18\/2025](https:\/\/blog.rapid7.com\/content\/images\/2025\/04\/metasploit-ascii-1-2.png)<\/p>\n

This week, a significant enhancement was made to the already awesome fetch payload feature by our very own bwatters-r7. The improvement introduces a new option, `PIPE_FETCH`, which optimizes the process by serving both the payload and the command to be executed simultaneously.<\/p>\n

This enhancement directly addresses the challenge of limited space by significantly reducing the size of the command that needs to be run. The `PIPE_FETCH` option works by initially generating a small command. When this compact command is executed, it fetches the actual, larger command that needs to be run. The fetched command is then directly piped into the shell, streamlining the execution process and making it feasible to use fetch payloads in scenarios where space constraints were previously a limitation.<\/p>\n

## New module content (2)<\/p>\n

### BentoML RCE<\/p>\n

Authors: Takahiro Yokoyama and c2an1
\nType: Exploit
\nPull request: #20041 contributed by Takahiro-Yoko
\nPath: `linux\/http\/bentoml_rce_cve_2025_27520`
\nAttackerKB reference: CVE-2025-27520<\/p>\n

Description: This adds a module for an unauthenticated remote code execution in BentoML (CVE-2025-27520).<\/p>\n

### Langflow AI RCE<\/p>\n

Authors: Naveen Sunkavally (Horizon3.ai) and Takahiro Yokoyama
\nType: Exploit
\nPull request: #20022 contributed by Takahiro-Yoko
\nPath: `multi\/http\/langflow_unauth_rce_cve_2025_3248`
\nAttackerKB reference: CVE-2025-3248<\/p>\n

Description: This adds a module for CVE-2025-3248, an unauthenticated RCE vulnerability that affects Langflow versions prior to 1.3.0.<\/p>\n

## Enhancements and features (4)<\/p>\n

* #19982 from jvoisin \\- Updates the Linux enum_protections module to use proper names instead of executable names and add a file-based detection method.
\n * #20031 from bcoles \\- Adds metadata and improves the code quality of multiple FreeBSD exploit modules.
\n * #20032 from bcoles \\- Improves the code quality of multiple `nops` modules.
\n * #20035 from bcoles \\- Enhances the code quality of multiple `encoder` modules.<\/p>\n

## Bugs fixed (3)<\/p>\n

* #20005 from fabpiaf \\- Fixes a LoadError when loading sqlite3 modules in Metasploit’s Docker support.
\n * #20036 from bcoles \\- Fixes an issue with the `exploit\/windows\/local\/unquoted_service_path` module that previously claimed a file upload was successful regardless of whether the file upload was successful or not.
\n * #20043 from adfoster-r7 \\- Update Open WAN-to-LAN proxy on AT&T routers error handling when an older Python version is detected.<\/p>\n

## Documentation<\/p>\n

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.<\/p>\n

## Get it<\/p>\n

As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:<\/p>\n

* Pull Requests 6.4.57…6.4.58
\n * Full diff 6.4.57…6.4.58<\/p>\n

If you are a `git` user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n9.8<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n