Some of our releases add new ways in; this one adds new ways to stay in. There are, of course, still new RCE toys in the box (Tactical RMM via Jinja2 SSTI and an unauthenticated MajorDoMo exploit). Still, the underlying theme is payloads: more control over how they are packaged and delivered, and fewer "why did it die instantly?" moments. We, like our community of module authors, grew tired of having to do everything by hand. You can now pick encoders (and tweak their options) directly for exploit and payload modules without extra glue code. Less plumbing, more choosing-the-right-badchar-killer-at-runtime.
New module content (3)
Linux RC4 Packer with In-Memory Execution (x86)
Author: Massimo Bertocchi
Type: Evasion
Pull request: #20965 contributed by litemars
Path: linux/x86/rc4_packer
Description: Adds a new module evasion/linux/x86/rc4_packer that encrypts the generated payload with RC4, prepends an optional sleep-based delay (nanosleep), and decrypts/executes the payload at runtime via a compact precompiled stub.
Tactical RMM Jinja2 SSTI Remote Code Execution
Authors: Gabriel Gomes and Valentin Lobstein [email protected]
Type: Exploit
Pull request: #21017 contributed by Chocapikk
Path: linux/http/tacticalrmm_ssti_rce_cve_2025_69516
AttackerKB reference: CVE-2025-69516
Description: This adds an exploit module for CVE-2025-69516, a Jinja2 SSTI in Tactical RMM < 1.4.0 where the reporting template preview endpoint evaluates user-controlled templates without sandboxing, enabling authenticated RCE. The module logs in via the Knox API, auto-detects the API host from /env-config.js, and exploits the template preview feature.
MajorDoMo Remote Command Injection via cycle_execs Race Condition
Author: Valentin Lobstein [email protected]
Type: Exploit
Pull request: #21000 contributed by Chocapikk
Path: multi/http/majordomo_cmd_injection_rce
AttackerKB reference: CVE-2026-27175
Description: Adds three exploit modules for MajorDoMo, an open-source home automation platform. All three vulnerabilities are unauthenticated.
Enhancements and features (2)
#20852 from dledda-r7 - This adds encoder options for exploit and payload modules. It allows the user to select the encoder and modify its options when using exploit or payload without the need of adding additional code into the module.
#20987 from sjanusz-r7 - Allows AS-REP and Kerberoast modules to be ran against a pre-existing LDAP session as well as RHOST values.
Bugs fixed (5)
#20740 from Chocapikk - This adds a new SRVSSL option to the HttpServer library, allowing SSL to be enabled for the HTTP server independently from the HTTP client.
#20830 from SilentSobs - This fixes a portability issue in Msf::Post::File.stat where the code incorrectly assumed a GNU stat output format.
#20940 from g0tmi1k - Fixes an issue where the > (file Redirect operator) causes the exploit to fail. This updates the exploit to use tee to avoid that problematic operator and also increases debug verbosity, simplifies code, adds documentation, and adds support for fetch payloads to gain Linux Meterpreter sessions.
#20946 from g0tmi1k - Corrects issue where the revision value provided in the http requests can be outside the subset of revision id/value/numbers; a revision value that is not an actual revision value may result in a failed exploit. Also, cleaned up logic and increased debugging verbosity.
#21044 from adfoster-r7 - Fixes a crash when using db_import on a nessus with protocols other than tcp or udp.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
