This release our very own cdelafuente-r7 finished implementing the Metasploit MCP Server (msfmcpd), bringing Model Context Protocol support to Metasploit Framework. MCP lets AI applications like Claude, Cursor, or your own custom agents query Metasploit data. Think of it as a middleware layer that exposes 8 standardized tools for searching modules and pulling reconnaissance data, all built on the official Ruby MCP SDK.
This first iteration is read-only, covering modules, hosts, services, vulnerabilities, and more. Tools for module execution, session interaction, and database modifications are on the roadmap for a future release. Full details are available in the documentation.
Copy Fail
Earlier this week, details of a new and high profile Linux LPE were released alongside a public PoC. The bug, nicknamed Copy Fail and identified by CVE-2026-31431, is a logic flaw in the cryptographic APIs exposed by the Linux Kernel. Metasploit has shipped a local exploit this week to leverage the flaw on AMD64 and AARCH64 targets with additional architectures planned for future releases. The exploit, which replaces the ‘su’ binary in the page cache with a small ELF file, allows users to specify command payloads for execution and will automatically determine the appropriate target architecture.
Description: This adds a new NTLM relay module that relays from HTTP to LDAP. On success, an authenticated LDAP session is opened which allows the operator to interact with the LDAP service in the context of the relayed identity.
Copy Fail AF_ALG + authencesn Page-Cache Write
Authors: Diego Ledda, Spencer McIntyre, Xint Code, and rootsecdev
Description: Adds a module for CVE-2026-31431 (The Copy Fail LPE for Linux), a local privilege escalation affecting almost every Linux Kernel since 2017.
Description: Adds a module for CVE-2026-31431 (The Copy Fail LPE for Linux), a local privilege escalation affecting almost every Linux Kernel since 2017.
Enhancements and features (5)
#21315 from cdelafuente-r7 - This adds a read-only MCP server for Metasploit capable of retrieving information from the loaded modules and database.
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
Our very own sfewer-r7 has developed an exploit module for the SolarWinds Web Help Desk vulnerabilities CVE-2025-40536 and CVE-2025-40551. On successful exploitation the session will be as running as NT AUTHORITY\SYSTEM. For more information see the Rapid7’s SolarWinds Web Help Desk Vulnerabilities guidance.
Contributions
A big thanks to our contributors who have been adding some great content this release. rudraditya21 has added MITRE ATT&CK metadata to lots of our existing modules. Chocapikk has added support for GHSA (GitHub Security Advisory) references support in Metasploit modules. rudraditya21 also added a change which adds negative caching to the LDAP entry cache, which will now mean missing objects are recorded. It also introduces a missing-entry sentinel, tracks misses per identifier type, and updates AD lookup helpers to short‑circuit on cached misses and record misses when a lookup returns no entry.
Description: This adds a new command-injection exploit in the FreeBDS rtsol/rtsold daemons (CVE-2025-14558). The vulnerability can be triggered by the Domain Name Search List (DNSSL) option in IPv6 Router Advertisement (RA) messages, which is passed to the resolvconf script without sanitization. It requires elevated privilege as it needs to send IPv6 packets. The injected commands are executed as root.
Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE
Description: Adds an exploit module for the recent command injection vulnerability, CVE-2026-1281, affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron. Exploited in-the-wild as a zero-day by an unknown threat actor.
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
Description: This adds an exploit module for the authentication bypass in GNU Inetutils telnetd tracked as CVE-2026-24061. During negotiation, if the USER environment variable is passed in with a value of "-f root" authentication can be bypassed resulting in command execution as the root user.
Description: This adds an exploit module for SolarWinds Web Help Desk vulnerable to CVE-2025-40536 and CVE-2025-40551. The exploit triggers session opening as NT AUTHORITY\SYSTEM and root.
Description: This adds three RCE modules for Xerte Online Toolkits affecting versions 3.14.0 and <= 3.13.7. Two are unauthenticated while one is authenticated.
Enhancements and features (10)
#20710 from Chocapikk - Adds support for GHSA (GitHub Security Advisory) and OSV (Open Source Vulnerabilities) references in Metasploit modules.
#20886 from cdelafuente-r7 - Updates services to now also have child services. This allows for more detailed reporting for the services and vulns commands which can now report parent -> child services e.g. SSL -> HTTPS.
#20895 from rudraditya21 - Adds negative caching to the LDAP entry cache so missing objects are recorded and subsequent lookups by DN, sAMAccountName, or SID return nil without re-querying the directory.
#20934 from rudraditya21 - This adds MITRE ATT&CK tags to modules related to LDAP and AD CS. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
#20935 from rudraditya21 - Adds the MITRE ATT&CK tag T1558.003 to the kerberoast modules. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
#20936 from rudraditya21 - This adds MITRE ATT&CK tags to SMB modules related to accounts. This enables users to find the content by using Metasploit's search capability and the att&ck keyword.
#20937 from rudraditya21 - This adds MITRE ATT&CK tags to the two existing SCCM modules that fetch NAA credentials using different techniques. This enables users to find this content using Metasploit's search functionality and the att&ck keyword.
#20941 from rudraditya21 - Adds a MITRE ATT&CK technique reference to the Windows password cracking module to support ATT&CK‑driven discovery.
#20942 from rudraditya21 - Adds MITRE ATT&CK technique references to getsystem, cve_2020_1472_zerologon, and atlassian_confluence_rce_cve_2023_22527 modules to support ATT&CK‑driven discovery.
#20943 from g0tmi1k - Adds affected versions the description in the exploits/unix/webapp/twiki_maketext module.
Bugs fixed (7)
#20599 from BenoitDePaoli - Fixes an issue where running services -p <ports> -u -R to set RHOSTS with values from the database could lead to a silently failing file not found error.
#20775 from rmtsixq - Fixes a database initialization failure when using msfdb init with the --connection-string option to connect to PostgreSQL 15+ instances (e.g., Docker containers).
#20817 from randomstr1ng - Adds a fix to ensure the output of sap_router_portscanner no longer causes module crashes.
#20903 from jheysel-r7 - Fixes an issue so #enum_user_directories no longer returns duplicate directories.
#20906 from rudraditya21 - Implements a fix for SSH command shells dying on cmd_exec when a trailing newline was present.
#20953 from zeroSteiner - Improves the stability of socket channeling support for SSH sessions opened via scanner/ssh/ssh_login.
#20955 from adfoster-r7 - Ensures the cleanup of temporarily created RHOST files when using the services -p <ports> -u -R command to set RHOST values from the database.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
Our very own Jack Heysel has added some documentation which outlines the Metasploit Framework project ideas for GSoC 2026. For anyone interested in applying please see GSoC-How-To-Apply documentation, or reach out on slack to any of the following GSoC mentors on Slack via the Metasploit Slack:
@jheysel
@zeroSteiner
@h00die
Gladinet
This week Chocapikk has added some Gladinet CentreStack/Triofox exploitation capabilities. Adding two auxiliary modules and updating an existing exploit. The updated exploit module now accepts a custom MACHINEKEY option to leverage newly discovered vulnerabilities that allow the extraction of machineKeys from Web.config files. The gladinet_storage_path_traversal_cve_2025_11371 module exploits path traversal to read arbitrary files and extract machineKeys, while gladinet_storage_access_ticket_forge forges access tickets using hardcoded cryptographic keys.
New module content (1)
Gladinet CentreStack/Triofox Access Ticket Forge
Authors: Huntress Team, Julien Voisin, and Valentin Lobstein chocapikk@leakix.net
Description: This adds two auxiliary modules for Gladinet CentreStack/Triofox. Both modules can read arbitrary files and extract the machineKey, which is used to secure ASP.NET ViewState data. Furthermore, this change also includes a new mixin for Gladinet.
Enhancements and features (3)
#20739 from cdelafuente-r7 - This adds MITRE ATT&CK metadata tags to modules relating to Kerberos and unconstrained delegation. This enables users to search for the content based on the ATT&CK technique ID.
#20882 from karanabe - Adds the RSAKeySize advanced option and uses it when generating the CSR key pair, allowing users to increase key size to meet certificate template minimums and avoid CERTSRV_E_KEY_LENGTH errors when 2048-bit keys are rejected.
#20883 from jheysel-r7 - Updates Kerberos modules to present a user friendly message when the user specifies the IMPERSONATE option when running a module but also forgets to specify IMPERSONATION_TYPE.
Bugs fixed (5)
#20368 from isaac-app-dev - Fixes an issue that caused msfvenom to break if it were run from alternative directories.
#20680 from cdelafuente-r7 - Improves the RPC API with multiple fixes and enhancements.
#20834 from kuklycs - This fixes the NoMethodError in the team_viewer post module, caused by misuse of the each_key method. The keys array has been updated to a 1-D array to simplify the logic.
#20916 from Chepycou - Fixes a crash when running the SAP modules sap_soap_rfc_system_info or sap_icf_public_info.
#20920 from rudraditya21 - This fixes a bug in password cracking modules where the auto action would crash even when the path to a compatible executable was specified in CRACKER_PATH.
Documentation added (1)
#20910 from jheysel-r7 - This adds documentation regarding the projects for which we are soliciting submissions for as part of the Google Summer of Code program.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
Login
