Skip to content

Metasploit Wrap-Up 11/21/2025 #1611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Metasploit Wrap-Up 11/21/2025 #1611

wants to merge 1 commit into from

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Nov 27, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-21-2025
  • Blog Title: Metasploit Wrap-Up 11/21/2025
  • Suggested Section: For FortiWeb: "👽 Network Services Pentesting → 80,443 - Pentesting Web Methodology → Fortinet Fortiweb" (add a subsection on CVE-2025-64446 auth bypass chaining to authenticated command injection/RCE). For Windows persistence: "🪟 Windows Hardening → Windows Local Privilege Escalation" (add or expand a 'Persistence' subsection covering service-based persistence via PowerShell/sc.exe and WSL-based persistence via Run/RunOnce registry keys invoking wsl.exe).

🎯 Content Summary

This post describes the Metasploit Framework 6.4.98 → 6.4.99 changes, focusing on a new exploit path for Fortinet FortiWeb (CVE-2025-64446) and new Windows persistence tooling, plus several framework enhancements, bug fixes, and documentation updates.


CVE-2025-64446 – Fortinet FortiWeb auth bypass and RCE chaining

CVE-2025-64446 is a critical (CVSS 9.1) authentication bypass in Fortinet’s FortiWeb Web Application Firewall Manager interface and its WebSocket-based CLI. Th...

🔧 Technical Details

FortiWeb auth bypass → admin account creation → root RCE chain
The core trick is to leverage an authentication bypass (CVE-2025-64446) in FortiWeb’s Manager/WebSocket CLI to run privileged management actions without credentials. By replaying or emulating Defused’s HTTP/WebSocket sequence (automated by Metasploit’s admin/http/fortinet_fortiweb_create_admin module), an attacker can call internal admin functionality such as “create local admin user”. Once the attacker logs in with this new account, any authenticated command-injection bug (e.g. CVE-2025-58034) reachable from the Manager UI or CLI can be used to execute arbitrary OS commands as root, turning an external WAF into a fully compromised pivot host.


Service-based Windows persistence via PowerShell or sc.exe
The Windows service persistence technique creates or reconfigures a Windows service so that its ImagePath (or equivalent configuration) points to an attacker-cont...

🤖 Agent Actions

Summary:

  • Expanded the Fortinet FortiWeb page with guidance on using Metasploit’s admin/http/fortinet_fortiweb_create_admin module, described how to chain CVE-2025-64446 with the upcoming CVE-2025-58034 command-injection exploit for root RCE, added operational steps, new detection cues for WebSocket/CLI abuse, and cited the Rapid7 wrap-up.
  • Added a persistence subsection to the Windows Local Privilege Escalation guide covering service-based persistence via PowerShell or sc.exe (aligned with the refactored windows/persistence/service module) and WSL-backed Run/RunOnce persistence, including commands, defensive considerations, and a pointer to autorun locations, plus referenced the Rapid7 source.

Testing:

  • Not run (not requested).

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

carlospolop commented Nov 27, 2025

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-21-2025

Content Categories: Based on the analysis, this content was categorized under "For FortiWeb: "👽 Network Services Pentesting → 80,443 - Pentesting Web Methodology → Fortinet Fortiweb" (add a subsection on CVE-2025-64446 auth bypass chaining to authenticated command injection/RCE). For Windows persistence: "🪟 Windows Hardening → Windows Local Privilege Escalation" (add or expand a 'Persistence' subsection covering service-based persistence via PowerShell/sc.exe and WSL-based persistence via Run/RunOnce registry keys invoking wsl.exe).".

Repository Maintenance:

  • MD Files Formatting: 913 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop