This week's release includes five new modules, including a full unauthenticated RCE chain for Paperclip AI and a VS Code extension persistence technique. On the post-exploitation side, the new windows/local/ntlm_relay_2_self module coerces the local machine account to authenticate via OpenEncryptedFileRaw (WebDAV), relays that NTLM authentication to a Domain Controller's LDAP service, then uses the resulting LDAP session to write Shadow Credentials and obtain a Kerberos service ticket as Administrator via S4U2Proxy, enabling PsExec back to itself for SYSTEM access.
On the enhancement side, the new MCP server plugin lets AI tools assist operators directly within a running msfconsole instance, and module check codes now return richer detail for users.
New module content (5)
Paperclip AI RCE using a chain of six API calls (CVE-2026-41679)
Authors: Sagilayani https://github.com/sagilayani and h00die-gr3y [email protected]
Type: Exploit
Pull request: #21547 contributed by h00die-gr3y
Path: linux/http/paperclipai_unauth_rce_cve_2026_41679
AttackerKB reference: CVE-2026-41679
Description: Adds an exploit module for CVE-2026-41679 which exploits Paperclip. An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. The entire chain is six API calls.
Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload
Author: bootstrapbool [email protected]
Type: Exploit
Pull request: #21371 contributed by bootstrapbool
Path: multi/http/xerte_unauthenticated_mediaupload
AttackerKB reference: CVE-2026-41459
Description: Exploits authentication failure (CVE-2026-34413), extension blacklist (CVE-2026-34415), and path traversal (CVE-2026-34414) vulnerabilities in Xerte Online Toolkits versions 3.15 and earlier.
VS Code Extension Persistence
Author: h00die
Type: Exploit
Pull request: #21465 contributed by h00die
Path: multi/persistence/vscode_extension
Description: Adds a new persistence module that achieves persistence by installing a malicious extension into a user's VS Code extensions directory. The next time the target opens VS Code, the extension executes and delivers a shell back to the attacker.
NTLM Relay to Self (HTTP to LDAP) - Post Exploitation
Author: jheysel-r7
Type: Exploit
Pull request: #21430 contributed by jheysel-r7
Path: windows/local/ntlm_relay_2_self
Description: Adds a module that exploits the NTLMRelay2Self attack. It requires a low-privilege user session on a Windows host.
Linux Kernel __ptrace_may_access() Exit Race Change File Disclosure
Authors: 0xdeadbeefnetwork and bhaskarbhar
Type: Post
Pull request: #21472 contributed by bhaskarbhar
Path: linux/gather/cve_2026_46333_chage
AttackerKB reference: CVE-2026-46333
Description: Adds a post module that leverages CVE-2026-46333, a vulnerability in the Linux kernel whereby a race condition exists when tearing down a process. A local attacker can exploit this to obtain file handles they would not otherwise have access to. In the exploit, this is leveraged to leak the contents of the /etc/shadow file.
Enhancements and features (7)
- #21254 from golem445 - Nmap imports will include domain name if supplied by the user for the scan.
- #21259 from g0tmi1k - Adds a number of enhancements to msfconsole's search functionality by cleaning up some inconsistencies and giving users the option to hide the child elements of search results with the -c flag. Also introduces two global options, SearchSort and SearchChildMode, that users can set and forget in order to control ascending/descending search results and whether or not child items appear under search results respectively.
- #21367 from g0tmi1k - Adds a number of enhancements to the rexec_login module including more detailed output, a check for an rDNS failure, an update to the module description, and removal of duplicate IP:PORT printing.
- #21454 from adfoster-r7 - Updates many modules by adding additional details to the check codes that are returned by the #check method, which provides additional information for the user. Also updates the requirements of new modules to contain this extra information moving forward.
- #21512 from adfoster-r7 - Updates the Metasploit MCP tool to expose note information on Metasploit modules, as well as host comments.
- #21537 from dwelch-r7 - Adds a plugin to start and stop a Model Context Protocol (MCP) server within msfconsole. When compared to the standalone msfmcpd tool, this has the significant advantage of automatically loading the RPC server within the context of a running framework instance which enables AI tools to assist the operator without needing to restart Metasploit.
- #21542 from h00die - Updates the scanner/redis/redis_server module to output server INFO details as a readable table.
Bugs fixed (4)
- #21441 from dwelch-r7 - Improves the MCP server lifecycle control and enables graceful shutdowns by transitioning from Rack's handler to direct Puma server API management.
- #21564 from adfoster-r7 - Fixes a crash in the smb_version module when run against SMBv1 targets.
- #21570 from sjanusz-r7 - Fixes an issue where it was not possible to generate ARM Big Endian payloads.
- #21571 from dwelch-r7 - Deleted files are now excluded when running msfconsole reload commands.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
