automatic module_metadata_base.json update

jenkins-metasploit · jenkins-metasploit · commit 38b3dad60874 · 2026-01-29T04:14:36.000Z
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -133630,6 +133630,66 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_unix/http/freepbx_custom_extension_rce": {
+    "name": "FreePBX endpoint SQLi to RCE",
+    "fullname": "exploit/unix/http/freepbx_custom_extension_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-12-11",
+    "type": "exploit",
+    "author": [
+      "Noah King",
+      "msutovsky-r7"
+    ],
+    "description": "FreePBX is an open-source IP PBX management tool that provides a modern phone system for businesses that use\n          VoIP to make and receive phone calls. Versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039,\n          while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61675. The former represents an\n          authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it\n          allows an attacker to authenticate as any user. The latter CVE describes multiple SQL injections; this module\n          exploits the SQL injection in the custom extension component. The module chains these vulnerabilities into an\n          unauthenticated SQL injection attack and gains remote code execution by injecting an SQL record into th\n          cron_jobs table. The cron_jobs database contains cron tasks that FreePBX executes in the context of the\n          operating system.",
+    "references": [
+      "CVE-2025-66039",
+      "CVE-2025-61675",
+      "URL-https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2026-01-28 20:15:25 +0000",
+    "path": "/modules/exploits/unix/http/freepbx_custom_extension_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/freepbx_custom_extension_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_unix/http/freepbx_firmware_file_upload": {
     "name": "FreePBX firmware file upload",
     "fullname": "exploit/unix/http/freepbx_firmware_file_upload",
