Happy Friday - Seven New Metasploit Modules
We’re happy to announce that Metasploit Framework had a big week, landing seven new modules alongside various bug fixes and enhancements. This week’s highlights include RCE modules targeting AVideo, openDCIM, Selenium Grid/Selenoid, and ChurchCRM. On the post-exploitation side, Windows saw three new persistence techniques added as modules, targeting Telemetry scheduled tasks, PowerShell profiles, and Microsoft BITS.
What a time to be alive as a Metasploit user! We wish you all a wonderful weekend and happy hacking.
New module content (7)
AVideo Unauthenticated SQL Injection Credential Dump
Authors: Valentin Lobstein [email protected] and arkmarta
Type: Auxiliary
Pull request: #21075 contributed by Chocapikk
Path: gather/avideo_catname_sqli
AttackerKB reference: CVE-2026-28501
Description: Adds an auxiliary module for CVE-2026-28501, an unauthenticated SQL injection in AVideo <= 22.0, along with a new BenchmarkBasedBlind SQLi mixin class and blind extraction improvements.
openDCIM install.php SQL Injection to RCE
Author: Valentin Lobstein [email protected]
Type: Exploit
Pull request: #21034 contributed by Chocapikk
Path: linux/http/opendcim_install_sqli_rce
AttackerKB reference: CVE-2026-28517
Description: This PR adds a new exploit module for openDCIM that chains three vulnerabilities (https://github.com/advisories/GHSA-mg2w-x76x-59h8, https://github.com/advisories/GHSA-prmh-rp39-qc4m, https://github.com/advisories/GHSA-428h-8xhf-g3cw) to achieve remote code execution.
Selenium Grid/Selenoid Unauthenticated RCE
Authors: Jon Stratton, Takahiro Yokoyama, Valentin Lobstein [email protected], and Wiz Research
Type: Exploit
Pull request: #21003 contributed by Chocapikk
Path: linux/http/selenium_greed_rce
Description: This replaces the two separate Selenium Grid RCE modules (Chrome and Firefox) with a single unified module that auto-detects available browsers and selects the best attack vector. The module targets unauthenticated Selenium Grid and Selenoid instances, supporting two techniques: a Firefox profile handler injection that works on all Grid versions including the latest (never patched since 2021), and a Chrome binary override for Grid versions prior to 4.11.0 and all Selenoid versions. No authentication is required.
ChurchCRM Database Restore RCE 6.2.0
Author: LucasCsmt
Type: Exploit
Pull request: #21095 contributed by LucasCsmt
Path: multi/http/churchcrm_db_restore_rce
AttackerKB reference: CVE-2025-68109
Description: Adds a new exploit module for CVE-2025-68109, targeting a file upload vulnerability inside ChurchCRM leading to an RCE. This module will work on version 6.2.0 of ChurchCRM and earlier.
Windows Persistence Bits Job
Author: h00die
Type: Exploit
Pull request: #20839 contributed by h00die
Path: windows/persistence/bits
Description: This adds a new persistence module that uses Microsoft Bits to maintain access to the system.
Powershell Profile Persistence
Author: madefourit
Type: Exploit
Pull request: #20933 contributed by madefourit
Path: windows/persistence/powershell_profile
Description: This adds a new persistence module that uses powershell profiles to maintain access.
Windows Telemetry Persistence
Author: h00die
Type: Exploit
Pull request: #20843 contributed by h00die
Path: windows/persistence/telemetry
Description: Adds a new persistence module, exploit/windows/persistence/telemetry, that abuses the Windows Telemetry scheduled task (Microsoft Compatibility Appraiser / CompatTelRunner) to establish persistence. The module writes a payload to disk and configures the telemetry task to execute it, resulting in a SYSTEM-level Meterpreter session either on the next scheduled run or immediately on demand. Requires an admin-level Meterpreter session on the target.
Enhancements and features (11)
- #21078 from Chocapikk - Adds multiple improvements to the multi/http/churchcrm_install_unauth_rce module.
- #21085 from dledda-r7 - This refactors the Block API code used by Windows payloads to leverage a new version of the hashing algorithm. This also fixes a bug whereby the MaximumLength field was used when calculating UNICODE_STRING names when it should have been the Length field.
- #21236 from bcoles - Add riscv64le and riscv32le architecture support to the fileless fetch payload adapter. This enables in-memory ELF execution via memfd_create on RISC-V Linux targets without writing to disk.
- #21252 from zeroSteiner - Adds a new with_adcs_certificate_request method that now used by both the MsIcpr and WebEnrollment mixins that abstracts away the enrollment process and takes a block that performs the actual request. The result is consolidation of messages, post-processing of the successfully issued certificate.
- #21255 from mxnvel - This updates two Python payloads (cmd/unix/reverse_python and cmd/unix/reverse_python_ssl) to make the PythonPath option optional. When omitted, it defaults to a shim that will determine the appropriate version of Python at runtime using a small bash expression.
- #21275 from adfoster-r7 - Adds multiple improvements to the cve_2025_14847_mongobleed module, such as adding new a dedicated check method, improved compression support detection as only zlib can be exploited, and resolving other false positives.
- #21286 from Hemang360 - Adds a cleanup keyword argument to Msf::Post::File#mkdir so callers can skip automatic directory cleanup registration. It is very useful for when we create directories in persistence modules and want the directory to remain.
- #21289 from sjanusz-r7 - Updates the db.hosts RPC call to now additionally include the comments associated with the host.
- #21291 from sjanusz-r7 - Updates the module.info RPC call to now additionally include the notes associated with the module.
- #21304 from adfoster-r7 - Improves multiple auxiliary module check code messages and statuses.
Bugs fixed (4)
- #21027 from SilentSobs - Fixes ELF shared object (elf-so) payload generation failing on 32-bit ARM Linux and RISC-V 32-bit LE targets. The _start entry point in the ARM LE template was landing at a non-word-aligned offset, which violates the architecture's 4-byte alignment requirement and caused the shared object to fail to load. The templates now use proper NASM align directives to ensure correct entry point alignment, and a similar fix is applied to the RISC-V 32-bit LE template.
- #21268 from adfoster-r7 - Fixes a crash with a small number of auxiliary modules when the check method was run and the vulnerability wasn't present.
- #21287 from zeroSteiner - Fixes the EXE templates that were rebuilt in https://github.com/rapid7/metasploit-framework/pull/20502 to work on legacy Windows targets like Server 2000 in case you find yourself in a combination hacking and time-travelling movie.
- #21309 from sfewer-r7 - Fixes a false positive in the fortinet_fortiweb_create_admin module when detecting the presence of an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface.
Documentation added (1)
- #20843 from h00die - Adds a new persistence module, exploit/windows/persistence/telemetry, that abuses the Windows Telemetry scheduled task (Microsoft Compatibility Appraiser / CompatTelRunner) to establish persistence. The module writes a payload to disk and configures the telemetry task to execute it, resulting in a SYSTEM-level Meterpreter session either on the next scheduled run or immediately on demand. Requires an admin-level Meterpreter session on the target.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
