React2shell Module
As you may have heard, on December 3, 2025, the React team announced a critical Remote Code Execution (RCE) vulnerability in servers using the React Server Components (RSC) Flight protocol. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0 and is informally known as "React2Shell". It allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto", "constructor", or "prototype" as module names. We’re happy to announce that community contributor vognik submitted an exploit module for React2Shell which landed earlier this week and is included in…
React2shell Module
As you may have heard, on December 3, 2025, the React team announced a critical Remote Code Execution (RCE) vulnerability in servers using the React Server Components (RSC) Flight protocol. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0 and is informally known as "React2Shell". It allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto", "constructor", or "prototype" as module names. We’re happy to announce that community contributor vognik submitted an exploit module for React2Shell which landed earlier this week and is included in this week’s release.
MSSQL Improvements
Over the past couple of weeks Metasploit has made a couple of key improvements to the framework’s MSSQL attack capabilities. The first (PR 20637) is a new NTLM relay module, auxiliary/server/relay/smb_to_mssql, which enables users to start a malicious SMB server that will relay authentication attempts to one or more target MSSQL servers. When successful, the Metasploit operator will have an interactive session to the MSSQL server that can be used to run interactive queries, or MSSQL auxiliary modules.
Building on this work, it became clear that users would need to interact with MSSQL servers that required encryption as many do in hardened environments. To achieve that objective, issue 18745 was closed by updating Metasploits MSSQL protocol library to offer better encryption support. Now, Metasploit users can open interactive sessions to servers that offer and even require encrypted connections. This functionality is available automatically in the auxiliary/scanner/mssql/mssql_login and new auxiliary/server/relay/smb_to_mssql modules.
New module content (5)
Magento SessionReaper
Authors: Blaklis, Tomais Williamson, and Valentin Lobstein [email protected]
Type: Exploit
Pull request: #20725 contributed by Chocapikk
Path:multi/http/magento_sessionreaper
AttackerKB reference: CVE-2025-54236
Description: This adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint.
Unauthenticated RCE in React and Next.js
Authors: Lachlan Davidson, Maksim Rogov, and maple3142
Type: Exploit
Pull request: #20760 contributed by sfewer-r7
Path: multi/http/react2shell_unauth_rce_cve_2025_55182
AttackerKB reference: CVE-2025-66478
Description: This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.
WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE
Authors: Peter Thaleikis and Valentin Lobstein [email protected]
Type: Exploit
Pull request: #20746 contributed by Chocapikk
Path: multi/http/wp_king_addons_privilege_escalation
AttackerKB reference: CVE-2025-8489
Description: This adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the user_role parameter during registration, enabling remote code execution through plugin upload.
Linux Reboot
Author: bcoles [email protected]
Type: Payload (Single)
Pull request: #20682 contributed by bcoles
Path:linux/loongarch64/reboot
Description: This extends our payloads support to a new architecture, LoongArch64. The first payload introduced for this new architecture is the reboot payload, which will cause the target system to restart once triggered.
Enhanced Modules (2)
Modules which have either been enhanced, or renamed:
- #20736 from sfewer-r7 - This pull requests updates the exploit/linux/http/fortinet_fortiweb_rce module (added in https://github.com/rapid7/metasploit-framework/pull/20717) to add in support for older version of FortiWeb, versions 6.*, which are no longer under support from the vendor.
- #20747 from vognik - This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.
Enhancements and features (1)
- #20704 from dwelch-r7 - The module auxiliary/scanner/ssh/ssh_login_pubkey has been removed. Its functionality has been moved into auxiliary/scanner/ssh/ssh_login.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro