Rapid7 released new Metasploit Framework content adding multiple modules that weaponize a FreePBX vulnerability chain starting with CVE-2025-66039 (authentication bypass) to enable unauthenticated attackers to reach remote code execution (RCE). The modules, authored by Noah King and msutovsky-r7, demonstrate how an initial auth bypass can be combined with follow-on flaws to move from external access to full system compromise.
The new FreePBX modules include an exploit that chains CVE-2025-66039 with CVE-2025-61675 (SQL injection) to insert a malicious job into the cron_job database table and execute arbitrary code, plus an auxiliary module using the same SQLi path to create a rogue administrator account. A second exploit chains CVE-2025-66039 with CVE-2025-61678 (unrestricted firmware file upload) to place a webshell on the server for RCE. Separate reporting also notes the same Metasploit update introduced additional exploit modules affecting other enterprise software (including Cacti and SmarterMail), but the detailed technical coverage in the sources focuses primarily on the FreePBX chaining approach and module implementations (e.g., unix/http/freepbx_custom_extension_rce and unix/http/freepbx_firmware_file_upload).

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
The update also shipped maintenance fixes, including corrections to John the Ripper hash formatting, SSH login scanner session-handling problems when CreateSession was enabled, and Metasploit Pro HTTP bruteforce false positives.
Metasploit expanded post-exploitation capabilities with a persistence module that installs a malicious Burp Suite extension and a unified SSH key persistence module supporting both Windows and Linux.
The same Metasploit update introduced an exploit module for Cacti CVE-2025-24367 and an unauthenticated file upload module for SmarterTools SmarterMail CVE-2025-52691, enabling webshell placement or cron-job creation through path traversal.
Metasploit Framework added three modules targeting FreePBX that chain the authentication bypass CVE-2025-66039 with either SQL injection CVE-2025-61675 or unrestricted file upload CVE-2025-61678 to achieve remote code execution or create an administrator account.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.