Metasploit Wrap-Up 03/28/2025

Last updated at Fri, 28 Mar 2025 20:27:22 GMT

Windows LPE - Cloud File Mini Filer Driver Heap Overflow

This Metasploit release includes an exploit module for CVE-2024-30085, an LPE in cldflt.sys which is known as the Windows Cloud Files Mini Filer Driver. This driver allows users to manage and sync files between a remote server and a local client. The exploit module allows users with an existing session on an affected Windows device to seamlessly escalate their privileges to NT AUTHORITY\SYSTEM. This module has been tested on Windows workstation versions 10_1809 through 11_23H2 and Windows server versions 2022 to 22_23H2.

New module content (3)

GLPI Inventory Plugin Unauthenticated Blind Boolean SQLi

Authors: jheysel-r7 and rz
Type: Auxiliary
Pull request: #19974 contributed by jheysel-r7
Path: gather/glpi_inventory_plugin_unauth_sqli
AttackerKB reference: CVE-2025-24799

Description: This adds an auxiliary module for an Unauth Blind Boolean SQLi (CVE-2025-24799) vulnerability in GLPI <= 1.0.18 when the Inventory Plugin is installed and enabled.

Eramba (up to 3.19.1) Authenticated Remote Code Execution Module

Authors: Niklas Rubel, Sergey Makarov, Stefan Pietsch, Trovent Security GmbH, and msutovsky-r7
Type: Exploit
Pull request: #19957 contributed by msutovsky-r7
Path: linux/http/eramba_rce
AttackerKB reference: CVE-2023-36255

Description: This adds an exploit for CVE-2023-36255 which is an authenticated command injection vulnerability in Eramba.

Windows Cloud File Mini Filer Driver Heap Overflow

Authors: Alex Birnberg, bwatters-r7, and ssd-disclosure
Type: Exploit
Pull request: #19802 contributed by bwatters-r7
Path: windows/local/cve_2024_30085_cloud_files
AttackerKB reference: CVE-2024-30085

Description: Local Privilege Escalation for Windows, exploiting CVE-2024-30085. It allows escalating an existing session to higher privileges.

Bugs fixed (3)

• #19932 from adfoster-r7 - Fixes a crash when running the exploits/windows/mssql/mssql_payload module against previously opened Microsoft SQL Server sessions.
• #19962 from e2002e - This preemptively updates the API host for the ZoomEye search module to reflect changes made by the upstream organization.
• #19987 from zeroSteiner - This updates the Ivanti and Sonicwall Bruteforce modules to use #initialize methods that accept a single argument as the LoginScanner classes should. It also renames the modules to follow the standard convention and adds a small fix to catch an unhandled connection error that was being thrown by the Sonicwall module.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.54...6.4.55
• Full diff 6.4.54...6.4.55

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro