This Metasploit Weekly Wrap-Up saw a deserialization module for CVE-2024-55556, exploiting unauthenticated PHP deserialization vulnerability in InvoiceShelf.

New module content (1)

InvoiceShelf unauthenticated PHP Deserialization Vulnerability

Authors: Mickaël Benassouli, Rémi Matasse, and h00die-gr3y

Type: Exploit

Pull request: #19950 contributed by h00die-gr3y

Path: linux/http/invoiceshelf_unauth_rce_cve_2024_55556

AttackerKB reference: CVE-2024-55556

Description: Deserialization module for CVE-2024-55556, exploiting unauthenticated PHP deserialization vulnerability in InvoiceShelf.

Bugs fixed (3)

• #19937 from fabpiaf - Fixes a crash when a running HTTP server attempted to perform HTML escaping.


• #19944 from Takahiro-Yoko - Enhancing existing module for CVE-2025-0655 by adding dynamically generated session for bypassing authentication.


• #19955 from zeroSteiner - Updates the way we tag URLs in gather/ldap_esc_vulnerable_cert_finder to better support vulnerability reporting.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:

• Pull Requests 6.4.52...6.4.53


• Full diff 6.4.52...6.4.53

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro

Source: Rapid7
Source Link: https://blog.rapid7.com/2025/03/14/metasploit-weekly-wrap-up-03-14-25/