Check Method Visibility

Metasploit has supported check methods for many years now. It’s not always desirable to jump straight into exploiting a vulnerability but instead to determine if the target is vulnerable. Metasploit tries to be very conservative with classifying a target as “vulnerable” unless the vulnerability is leveraged as part of the check method, reserving the “appears” status for version checks. The different check codes a module is capable of returning and the logic to select among them varies from exploit to exploit and is not always the easiest to understand. Aligning with the consistent feedback that Metasploit has received that module actions should be more transparent, adfoster-r7 has been adding reasoning information en masse to the check codes returned by a variety of exploits. This information will help users understand why a particular vulnerability status was determined, making troubleshooting efforts easier and increasing confidence in the results.

Legacy SMB Improvements

This week, community member g0tm1lk made multiple improvements for legacy and non-Windows SMB targets. Version information is now more reliably extracted from targets running SMB 1, and a variety of minor bugs were fixed across multiple modules that would have affected users targeting systems the module was not intended to target as is often the case when the module is used to scan an entire network.

New module content (4)

Camaleon CMS Directory Traversal CVE-2024-46987

Authors: Goultarde, Peter Stockli, and bootstrapbool

Type: Auxiliary

Pull request: #21122 contributed by bootstrapbool

Path: gather/camaleon_download_private_file

AttackerKB reference: CVE-2024-46987

Description: This adds an auxiliary module to exploit an arbitrary file vulnerability, CVE-2024-46987, on Camaleon CMS >= 2.8.0 as well as 2.9.0.

Langflow RCE

Authors: Takahiro Yokoyama and weblover12

Type: Exploit

Pull request: #21260 contributed by Takahiro-Yoko

Path: multi/http/langflow_rce_cve_2026_27966

AttackerKB reference: CVE-2026-27966

Description: Adds exploit module for CVE-2026-27966, a prompt injection RCE vulnerability in Langflow < 1.8.0. By creating and sending a specially-crafted flow containing python code, the LangChain will execute that code because LangChain's Read-Eval-Print Loop (REPL) is exposed by default and runs any Python code it is given.

WebDAV PHP Upload

Authors: g0tmi1k and theLightCosine theLightCosine@metasploit.com

Type: Exploit

Pull request: #21256 contributed by g0tmi1k

Path: multi/http/webdav_upload_php

AttackerKB reference: CVE-2012-10062

Description: Updates code and adds features: Linux support, check() method, and cleanup after exploit.

Linux Chmod

Author: bcoles bcoles@gmail.com

Type: Payload (Single)

Pull request: #21238 contributed by bcoles

Path: linux/loongarch64/chmod

Description: Adds a new linux/loongarch64/chmod payload to change the permissions of a specified file.

Enhancements and features (11)

• #21019 from g0tmi1k - This adds support for phpMyAdmin v3.1.x to the phpMyAdmin Config File Code Injection module (CVE-2009-1285). This also adds a check method.
• #21230 from bcoles - Reduces the memory footprint of the module metadata cache in Metasploit.
• #21231 from bcoles - Improves the performance of the module metadata cache as well as bug fixes.
• #21232 from bcoles - Add a method to discover writable directories on Unix targets using the find command.
• #21256 from g0tmi1k - Updates code and adds features: Linux support, check() method, and cleanup after exploit.
• #21347

Bugs fixed (4)

• #21327 from tair-m - Fixes a crash when loading HTTP modules.
• #21341 from g0tmi1k - This fixes multiple issues related to various SMB modules when targeting Samba.
• #21344 from adfoster-r7 - Fixes a bug when running the check method for scanner/http/elasticsearch_traversal against non-vulnerable targets.
• #21346 from adfoster-r7 - Fixes a false positive that was present in auxiliary/scanner/couchdb/couchdb_enum.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.128...6.4.129
• Full diff 6.4.128...6.4.129

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Better NTLM Relaying Functionality

This week’s release brings an improvement to the SMB NTLM relay server. In the past, it’s support has been expanded with modules for relaying to HTTP (ESC8), MSSQL and LDAP while still receiving connections over the humble SMB service. Prior to this release, clients required a key behavior in how they handled SMB’s STATUS_NETWORK_SESSION_EXPIRED error code, in order to relay a single authentication attempt to multiple targets. Most clients other than Window’s “net use” do not handle these errors and were thus incompatible with Metasploit SMB NTLM relaying capabilities. Now, when a single target is specified, Metasploit alters its relaying strategy to forward the Net-NTLM messages immediately, making it compatible with a broader range of clients including Linux’s smbclient. In addition, the client in RubySMB was updated to mimic the behaviour of “net use” allowing authentication attempts from RubySMB to be relayed to multiple targets successfully.

New module content (3)

ESC/POS Printer Command Injector

Author: FutileSkills

Type: Auxiliary

Pull request: #20478 contributed by futileskills

Path: admin/printer/escpos_tcp_command_injector

Description: Adds a new auxiliary module that exploits CVE-2026-23767, an unauthenticated ESC/POS command vulnerability in networked Epson-compatible printers. The vulnerability allows an attacker to send crafted commands over the network to inject custom ESC/POS print commands, which are used in various receipt printers.

Eclipse Che machine-exec Unauthenticated RCE

Authors: Greg Durys gregdurys.security@proton.me and Richard Leach

Type: Exploit

Pull request: #20835 contributed by GregDurys

Path: linux/http/eclipse_che_machine_exec_rce

AttackerKB reference: CVE-2025-12548

Description: This adds a module for CVE-2025-12548, an unauthenticated RCE in the Eclipse Che machine-exec service. The vulnerability allows attackers to connect over WebSocket on port 3333 and execute commands via JSON-RPC without authentication. This affects Red Hat OpenShift DevSpaces environments.

Barracuda ESG TAR Filename Command Injection

Authors: Curt Hyvarinen, Mandiant, and cfielding-r7

Type: Exploit

Pull request: #21033 contributed by Alpenlol

Path: linux/smtp/barracuda_esg_tarfile_rce AttackerKB reference: CVE-2023-2868

Description: Adds exploit module for CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances. Filenames in TAR attachments are passed to shell commands without sanitization, allowing RCE via backtick injection.

Enhancements and features (1)

• #21049 from h00die - This updates post modules to use an API that will expand multiple environment variables when set within the WritableDir option.

Bugs fixed (5)

• #20967 from jheysel-r7 - This fix an issue that prevents successful authentication relay from Ruby SMB Client and smbclient. These clients are now compatible with Msf::Exploit::Remote::SMB::RelayServer.
• #21148 from adfoster-r7 - Fixes a bug where setting VERBOSE logging as false globally would still cause verbose logging to occur.
• #21169 from SaiSakthidar - This fixes a bug that was preventing Mach-O binaries from being identified due to a Ruby string encoding compatibility problem.
• #21173 from msutovsky-r7 - Fixes a crash when attempting to generate a vbs payload with msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=44 -f vbs.
• #21174 from adfoster-r7 - Fixes a bug when parsing msfconsole's -x flag when additional semicolons are present that are not meant to separate commands. i.e. msfconsole -x 'set option_name "a;b"'.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.123...6.4.124
• Full diff 6.4.123...6.4.124

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

FreeBPX Content Galore

This week brings 3 new pieces of module content for targeting FreePBX. All three chain multiple vulnerabilities together, starting with CVE-2025-66039. This initial vulnerability allows unauthenticated users to bypass the authentication process to interact with FreePBX. From this point, the different modules leverage either a SQL injection vulnerability (CVE-2025-61675) or a file upload vulnerability (CVE-2025-61678) to obtain remote code execution.

New module content (7)

FreePBX endpoint SQLi to RCE

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20857 contributed by msutovsky-r7 Path: unix/http/freepbx_custom_extension_rce AttackerKB reference: CVE-2025-61675

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with a SQLi, CVE-2025-61675, which allows for a cron job to be added to the cron_job table of the database to allow for Remote Code Execution.

FreePBX firmware file upload

Authors: Noah King and msutovsky-r7 Type: Exploit Pull request: #20858 contributed by msutovsky-r7 Path: unix/http/freepbx_firmware_file_upload AttackerKB reference: CVE-2025-61678

Description: This adds exploit module for FreePBX which chains an authentication bypass, CVE-2025-66039, with an unrestricted file upload (via firmware upload), CVE-2025-61678, which allows for a webshell to be uploaded to the webserver resulting in remote code execution.

FreePBX Custom Extension SQL Injection

Authors: Noah King and msutovsky-r7 Type: Auxiliary Pull request: #20846 contributed by msutovsky-r7 Path: gather/freepbx_custom_extension_injection AttackerKB reference: CVE-2025-61675

Description: This adds an exploit module for FreePBX which chains an authentication bypass, (CVE-2025-66039) with an SQLi (CVE-2025-61675) to create an admin user in the database.

Cacti Graph Template authenticated RCE versions prior to 1.2.29

Authors: Jack Heysel and chutchut Type: Exploit Pull request: #20799 contributed by jheysel-r7 Path: multi/http/cacti_graph_template_rce AttackerKB reference: CVE-2025-24367

Description: This adds an exploit for CVE-2025-24367 which is an unauthenticated RCE in Cacti.

SmarterTools SmarterMail GUID File Upload Vulnerability

Authors: Piotr Bazydlo, Sina Kheirkhah, and jheysel-r7 Type: Exploit Pull request: #20866 contributed by jheysel-r7 Path: multi/http/smartermail_guid_file_upload AttackerKB reference: CVE-2025-52691

Description: This adds a module for unauthenticated file upload in SmarterTools SmaterMail (CVE-2025-52691). The vulnerability allows an unauthenticated user to upload a file to any location on the system using path traversal using the guid variable. The module will either drop a webshell in the webroot directory (if the target is Windows) or create a cron job by dropping a file in /etc/cron.d (if the target is Linux).

Burp Extension Persistence

Author: h00die Type: Exploit Pull request: #19821 contributed by h00die Path: multi/persistence/burp_extension

Description: This adds a new persistence module for BurpSuite. The module adds a malicious extension to both the Pro and Community versions, which is triggered when the user starts BurpSuite.

SSH Key Persistence

Authors: Dean Welch dean_welch@rapid7.com and h00die mike@shorebreaksecurity.com Type: Exploit Pull request: #20778 contributed by h00die Path: multi/persistence/ssh_key

Description: Combines the Windows and Linux ssh key persistence modules.

Enhancements and features (1)

• #20778 from h00die - Combines the Windows and Linux ssh key persistence modules.

Bugs fixed (3)

• #20897 from h00die - This fixes a bug that was preventing collected hash data from being formatted as input for the John the Ripper cracker. The result is that users can now once again crack passwords using John.
• #20902 from rudraditya21 - This fixes a bug in the auxiliary/scanner/ssh/ssh_login module that would incorrectly state that a login failed when it in fact succeeded but the module was unable to open a session. This was only an issue when the CreateSession option is true.
• #20909 from adfoster-r7 - Fixes a bug in Metasploit Pro that reported false positives for HTTP bruteforcing.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.110...6.4.111
• Full diff 6.4.110...6.4.111

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro