diff --git a/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md b/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md
index 4ee4d7e985b3..07d9042366bd 100644
--- a/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md
+++ b/documentation/modules/exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.md
@@ -108,3 +108,5 @@ meterpreter >
 ## Limitations
 You have to wait maximum five minutes for a session to allow `cron` to run the malicious watchdog script
 containing the payload. Just be patient and wait for the magic to happen ;-)
+Another limitation is that the root filesystem on RaspberyMatic image is mounted read-only, so you need to set the
+option `FETCH_WRITABLE_DIR` to `/tmp` (this is mounted RW) otherwise the exploit will fail.
diff --git a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb
index 7e0543d15d00..7c97ea98db4f 100644
--- a/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb
+++ b/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb
@@ -49,7 +49,11 @@ def initialize(info = {})
             {
               'Platform' => ['unix', 'linux'],
               'Arch' => [ARCH_CMD],
-              'Type' => :unix_cmd
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/linux/http/aarch64/meterpreter_reverse_tcp',
+                'FETCH_WRITABLE_DIR' => '/tmp'
+              }
             }
           ]
         ],