Skip to content

Metasploit Wrap-Up 12/12/2025 #1669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Metasploit Wrap-Up 12/12/2025 #1669

carlospolop wants to merge 1 commit into from

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Dec 13, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-12-2025
  • Blog Title: Metasploit Wrap-Up 12/12/2025
  • Suggested Section: Pentesting Web -> Deserialization & Prototype Pollution (include React Server Components / React2Shell details); Pentesting Web -> File Upload & Registration & Takeover Vulnerabilities (for Magento nested deserialization + unauth upload and CMS role-parameter abuse); Network Services Pentesting -> 1433 - Pentesting MSSQL and Windows Hardening -> Lateral Movement / NTLM (for SMB-to-MSSQL NTLM relay with TLS).

🎯 Content Summary

This Metasploit weekly wrap-up details new exploit and payload modules and several enhancements that expand coverage for unauthenticated RCE in modern web stacks, MSSQL attack paths, and SSH scanning, plus support for a new CPU architecture.


React2Shell / React Server Components RCE (CVE-2025-55182)

On December 3, 2025, the React team disclosed a critical RCE in servers using the React Server Components (RSC) Flight protocol, tracked as CVE-2025-55182 and nicknamed <...

🔧 Technical Details

Prototype pollution RCE in React Server Components (React2Shell)
Servers using React Server Components (RSC) with the Flight protocol can be exploited by sending crafted multipart requests where RSC module identifiers are set to "proto", "constructor", or "prototype". When the backend deserializes these values into objects without filtering those keys, it causes prototype pollution, letting the attacker modify default object behavior and pivot to remote code execution. Any RSC implementation that deserializes untrusted module names and maps them into object properties is at risk. Automated exploitation can be implemented as an HTTP client that crafts Flight-compliant multipart payloads using these special keys until code execution is achieved.


NTLM relay from SMB to MSSQL with TLS support
An attacker can run a malicious SMB server and relay captured NTLM authentication attempts to MSSQL servers. When a victim in...

🤖 Agent Actions

Summary:

  • Expanded the NodeJS prototype pollution guide with a new section on React Server Components Flight deserialization (CVE-2025-55182), including exploitation workflow, sample multipart payload, Metasploit module usage, and an updated reference.
  • Added a Magento SessionReaper case study to the File Upload guide describing the nested deserialization + unauthenticated uploader chain (CVE-2025-54236) along with mitigations, and incorporated the Rapid7 wrap-up into the references.
  • Documented the WordPress King Addons role-parameter abuse (CVE-2025-8489) in the registration vulnerabilities page, outlining the attack steps, automated exploitation via Metasploit, and defensive controls, plus updated references.
  • Enhanced the MSSQL pentesting page with guidance on the new TLS-aware SMB→MSSQL NTLM relay listener and noted the wider TLS support in MSSQL tooling, adding the relevant reference.
  • Updated the Windows NTLM hardening page with a dedicated section on relaying coerced SMB auth to TLS-enforced SQL Servers using the same Metasploit module and captured the new reference.

Tests: Not run (not requested).

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 915
  • MD files fixed: 2

All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop
Copy link
Collaborator Author

carlospolop commented Dec 13, 2025

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-12-12-2025

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Deserialization & Prototype Pollution (include React Server Components / React2Shell details); Pentesting Web -> File Upload & Registration & Takeover Vulnerabilities (for Magento nested deserialization + unauth upload and CMS role-parameter abuse); Network Services Pentesting -> 1433 - Pentesting MSSQL and Windows Hardening -> Lateral Movement / NTLM (for SMB-to-MSSQL NTLM relay with TLS).".

Repository Maintenance:

  • MD Files Formatting: 915 files processed (2 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop