Additional Adapters and More Modules
This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7. Adding new architectures for adapted payloads is surprisingly easy and something a first-time contributor might want to look into!
New modules added to Metasploit Framework also allow for targeting FreeScout and Grav CMS, both of which result in remote code execution. These modules were contributed by Chocapikk and x1o3 respectively. Thanks!
Thanks to g0tmi1k, Metasploit Framework now also includes an exploit module, multi/http/os_cmd_exec, which allows for targeting generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. This can result in a Meterpreter shell on the remote target.
To round this week off, we have a new persistence technique on Windows, thanks to Nayeraneru, which abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon.
New module content (5)
FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass
Authors: Moses Bhardwaj (MosesOX) , Nir Zadok (nirzadokox) , Valentin Lobstein [email protected], and offensiveee
Type: Exploit
Pull request: #21069 contributed by Chocapikk
Path: multi/http/freescout_htaccess_rce
AttackerKB reference: CVE-2026-27636
Description: This adds an exploit module for CVE-2026-28289, an unauthenticated remote code execution vulnerability in FreeScout versions prior or equal to 1.8.206.
Grav CMS Admin Direct Install Authenticated Plugin Upload RCE
Authors: binneko and x1o3
Type: Exploit
Pull request: #21029 contributed by x1o3
Path: multi/http/grav_admin_direct_install_rce_cve_2025_50286
AttackerKB reference: CVE-2025-50286
Description: This adds a new exploit module for CVE-2025-50286, an authenticated RCE vulnerability in Grav CMS 1.1.x–1.7.x with Admin Plugin 1.2.x–1.10.x. The module exploits the Direct Install feature to upload a malicious plugin ZIP and execute an arbitrary PHP payload as the web server user.
Generic HTTP Command Execution
Authors: egypt [email protected] and g0tmi1k
Type: Exploit
Pull request: #21023 contributed by g0tmi1k
Path: multi/http/os_cmd_exec
Description: Adds a new exploits/multi/http/os_cmd_exec module that targets generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request.
Windows Persistence via UserInitMprLogonScript
Author: Nayera
Type: Exploit
Pull request: #21032 contributed by Nayeraneru
Path: windows/persistence/userinit_mpr_logon_script
Description: This adds a new Windows persistence module that abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon.
HTTP and HTTPS Fetch
Authors: Brendan Watters, Chris John Riley, hdm [email protected], sf [email protected], and vlad902 [email protected]
Type: Payload (Adapter)
Pull request: #21172 contributed by bwatters-r7
Description: This adds HTTP and HTTPS fetch payloads for 32-bit Windows targets.
Enhancements and features (8)
- #20999 from Aaditya1273 - Removes the legacy windows/local/persistence module, which has been superseded by the modernized windows/persistence/registry module. A moved_from alias ensures that existing scripts and workflows referencing the old module path are automatically redirected to the new one with a deprecation warning.
- #21090 from g0tmi1k - Updates multiple modules to make use of report_service().
- #21097 from g0tmi1k - Updates auxiliary/scanner/ftp/anonymous.rb to report the FTP service regardless of anonymous being enabled.
- #21144 from Nayeraneru - Improves YARD documentation for lib/msf/core/auxiliary/web/http.rb by documenting the Request and Response helpers, the public HTTP request APIs, and the internal custom-404/request-handling flow.
- #21145 from Nayeraneru - Adds YARD docs to lib/msf/core/auxiliary/auth_brute.rb, focusing on the AuthBrute mixin’s credential-building, brute-force state, logging, and cleanup helpers.
- #21150 from Nayeraneru - Adds YARD documentation to lib/msf/core/payload/adapter/fetch.rb to improve consistency and clarify how the fetch adapter generates URIs, builds fetch commands, and resolves platform-specific execution behavior.
- #21194 from bcoles - This updates the post/linux/gather/enum_protections module by adding documentation and additional checks for modern protections and applications.
- #21214 from adfoster-r7 - Adds additional validation to db_import before attempting to import values.
- #21048 from zeroSteiner - Not written - add release notes directly to the pull request, then regenerate. Do not edit manually without ensuring the pull request has the release note present.
Bugs fixed (6)
- #21004 from EclipseAditya - This fixes a bug in the #normalize_key method provided by the Windows Registry mixin. The result is correct behavior when using shell sessions to check for keys with trailing \ characters.
- #21138 from g0tmi1k - Fixes a bug that stopped the auxiliary/server/dhcp module from running as a background job when RHOSTS had been set.
- #21188 from adfoster-r7 - Fixes a crash on older Ruby versions when scanning binary files.
- #21199 from Hemang360 - Fixes crash in auxiliary/scanner/http/wp_perfect_survey_sqli when run against invalid or unreachable targets.
- #21207 from zeroSteiner - Fixes warning when running the linux/gather/enum_protections module.
- #21208 from adfoster-r7 - Fixes multiple warnings in modules that reported notes incorrectly.
- #21073 from Hemang360 - Fixes a bug where running exploit/multi/handler with a reverse HTTP/HTTPS payload multiple times on the same port caused cleanup issues.
Documentation added (6)
- #21149 from Adithyadspawar - Adds documentation to the following login scanners: ftp/bison_ftp_traversal, http/apache_activemq_traversal, http/coldfusion_version, http/drupal_views_user_enum and http/elasticsearch_traversal.
- #21186 from Devansh7006 - Adds documentation for the wordpress_pingback_access module.
- #21187 from Devansh7006 - Updates documentation for auxiliary/scanner/http/http_put.
- #21200 from dineshg0pal - Updates the example code snippet for writing Metasploit Go modules.
- #21201 from aryan9190 - Adds YARD documentation for Rex::Post::IO class.
- #21217 from dineshg0pal - Fixes minor errors in documentation files.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
