React2Shell Payload Improvements
Last week Metasploit released an exploit for the React2Shell vulnerability, and this week we have made a couple of improvements to the payloads that it uses. The first improvement affects all Metasploit modules. When an exploit is used, an initial payload is selected using some basic logic that effectively would make a selection from the first available in alphabetical order. Now Metasploit will prefer a default of x86 Meterpreters for Windows systems (since 32-bit payloads work on both 32-bit and 64-bit versions of Windows) and x64 Meterpreters for all other platforms including Linux. In the context of React2Shell, this means the payload now defaults to x64 for Linux instead of AARCH64.
Another improvement that only affects this exploit was the change of the default payload to one leveraging Node.js which is more likely to be present than the wget binary that was required. These defaults should hopefully help users get started with this high-impact exploit with more ease, but of course any compatible payload can still be selected.
Stay tuned for the Metasploit annual wrap-up and roadmap announcement coming up!
New module content (2)
N-able N-Central Authentication Bypass and XXE Scanner
Authors: Valentin Lobstein chocapikk@leakix.net and Zach Hanley (Horizon3.ai)
Type: Auxiliary
Pull request: #20713 contributed by Chocapikk
Path: scanner/http/nable_ncentral_auth_bypass_xxe
AttackerKB reference: CVE-2025-11700
Description: This adds an auxiliary module that exploits two CVEs affecting N-able N-Central. CVE-2025-9316, an Unauthenticated Session Bypass and CVE-2025-11700 a XXE (XML External Entity) vulnerability. The module combines both vulnerabilities to achieve unauthenticated file read on affected N-Central instances (versions < 2025.4.0.9).
Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE
Author: Tarek Nakkouch
Type: Exploit
Pull request: #20749 contributed by nakkouchtarek
Path: multi/http/grav_twig_ssti_sandbox_bypass_rce
AttackerKB reference: CVE-2025-66301
Description: This adds an exploit module for a Server-Side Template Injection (SSTI) vulnerability (CVE-2025-66294) in Grav CMS, versions prior to 1.8.0-beta.27 , that allows bypassing the Twig sandbox to achieve remote code execution. To inject the malicious payload into a form's process section, this module leverages CVE-2025-66301, a broken access control flaw in the /admin/pages/{page_name} endpoint.
Enhancements and features (2)
- #20424 from cdelafuente-r7 - Updates how vulnerabilities and services are reported by adding a resource field to both models. It also add a parents field to make layered services possible. An optional resource field can now be provided and the existing service field has been updated to also accept an option hash.
- #20771 from zeroSteiner - Updates Metasploit's default payload selection logic to preference x86 payloads over AARCH64 payloads.
- #20773 from jheysel-r7 - This updates the exploit for React2Shell with a better default payload.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
- Metasploit
- Metasploit Weekly Wrapup