Speedup Improvements of MSFVenom & New Modules

This week, we have added new modules to Metasploit Framework targeting Cisco Catalyst SD-WAN controllers and osTicket as well as updates and improvements to Windows service-for-user persistence, and LDAP/ADCS-related modules to automatically report related services resulting in an improved data stream, which can be queried by using the services command.

We also landed an improvement to msfvenom’s bootup time, thanks to bcoles, resulting in an approximate two-times speedup.

New module content (4)

AD/CS Authenticated Web Enrollment Services Module

Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7

Type: Auxiliary

Pull request: #20752 contributed by bwatters-r7

Path: admin/http/web_enrollment_cert

Description: This adds a new auxiliary/admin/http/web_enrollment_cert modules that allows certificates to be issued from an Active Directory Certificate Services Web Enrollment portal. Its usage is the same as the auxiliary/admin/http/icpr_cert module but enables operators to issue certificates when the web enrollment portal is accessible but the MS-ICPR service is not.

Cisco Catalyst SD-WAN Controller Authentication Bypass

Author: sfewer-r7

Type: Auxiliary

Pull request: #21158 contributed by sfewer-r7

Path: admin/networking/cisco_sdwan_auth_bypass

AttackerKB reference: CVE-2026-20127

Description: This adds an auxiliary module to exploit an authentication bypass vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller. Recently exploited in the wild as a zero-day.

osTicket Arbitrary File Read via PHP Filter Chains in mPDF

Authors: Arkaprabha Chakraborty <@t1nt1nsn0wy> and HORIZON3.ai Team

Type: Auxiliary

Pull request: #20948 contributed by ArkaprabhaChakraborty

Path: gather/osticket_arbitrary_file_read

AttackerKB reference: CVE-2026-22200

Description: This adds an auxiliary module to exploit, CVE-2026-22200, an authenticated file read vulnerability in osTicket.

Windows Service for User (S4U) Scheduled Task Persistence - Event Trigger

Authors: Brandon McCann "zeknox" bmccann@accuvant.com, Thomas McCarthy "smilingraccoon" smilingraccoon@gmail.com, and h00die

Type: Exploit

Pull request: #20814 contributed by h00die

Path: windows/persistence/service_for_user/event

Description: Updates the Windows service-for-user persistence technique.

Enhancements and features (7)

• #20814 from h00die - Updates the Windows service-for-user persistence technique.

• #20973 from bitstr3m-48 - This release enables command execution for non-interactive HWBridge sessions via the sessions -c flag. Additionally, the hwbridge/connect module now preserves parsed JSON error bodies from failed HTTP responses, which improves error messaging.
• #20977 from g0tmi1k - This updates the exploit/unix/webapp/php_eval module to have a FORMDATA datastore option, which adds HTTP POST-request support and makes the HEADERS datastore option consistent with other modules.
• #20979 from g0tmi1k - This updates the exploit/unix/webapp/php_include module with additional datastore options and make its usage more consistent with the similar exploit/unix/webapp/php_eval module.
• #21031 from zeroSteiner - Enhances the Metasploit’s LDAP/ADCS-related modules to automatically report related services (LDAP, DCERPC/ICertPassage/ADCS CA) and to improve vulnerability reporting by associating findings with the affected LDAP object’s DN (and, for ADCS template findings, the template name) so results are uniquely keyed and easier to interpret.
• #21143 from SaiSakthidar - This bumps the Metasploit payloads to include changes that enable the PHP Meterpreter to open TCP server sockets. This enables operators to listen for inbound connections on compromised hosts and closes a feature gap between PHP and the other Meterpreters.
• #21229 from bcoles - This updates the msfvenom utility to use the metadata cache. The result is roughly 2x faster execution times when listing modules

Bugs fixed (1)

• #21153 from Nayeraneru - This fixes an issue with some mutable constant datastore options. Using shared options like CHOST or CPORT are not changing visibility across modules anymore.

Documentation added (1)

• #21221 from cgranleese-r7 - This PR improves module_doc_template.md with examples to better guide contributors.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.125...6.4.126
• Full diff 6.4.125...6.4.126

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Additional Adapters and More Modules

This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7. Adding new architectures for adapted payloads is surprisingly easy and something a first-time contributor might want to look into!

New modules added to Metasploit Framework also allow for targeting FreeScout and Grav CMS, both of which result in remote code execution. These modules were contributed by Chocapikk and x1o3 respectively. Thanks!

Thanks to g0tmi1k, Metasploit Framework now also includes an exploit module, multi/http/os_cmd_exec, which allows for targeting generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. This can result in a Meterpreter shell on the remote target.

To round this week off, we have a new persistence technique on Windows, thanks to Nayeraneru, which abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon.

New module content (5)

FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass

Authors: Moses Bhardwaj (MosesOX) , Nir Zadok (nirzadokox) , Valentin Lobstein chocapikk@leakix.net, and offensiveee

Type: Exploit

Pull request: #21069 contributed by Chocapikk

Path: multi/http/freescout_htaccess_rce

AttackerKB reference: CVE-2026-27636

Description: This adds an exploit module for CVE-2026-28289, an unauthenticated remote code execution vulnerability in FreeScout versions prior or equal to 1.8.206.

Grav CMS Admin Direct Install Authenticated Plugin Upload RCE

Authors: binneko and x1o3

Type: Exploit

Pull request: #21029 contributed by x1o3

Path: multi/http/grav_admin_direct_install_rce_cve_2025_50286

AttackerKB reference: CVE-2025-50286

Description: This adds a new exploit module for CVE-2025-50286, an authenticated RCE vulnerability in Grav CMS 1.1.x–1.7.x with Admin Plugin 1.2.x–1.10.x. The module exploits the Direct Install feature to upload a malicious plugin ZIP and execute an arbitrary PHP payload as the web server user.

Generic HTTP Command Execution

Authors: egypt egypt@metasploit.com and g0tmi1k

Type: Exploit

Pull request: #21023 contributed by g0tmi1k

Path: multi/http/os_cmd_exec

Description: Adds a new exploits/multi/http/os_cmd_exec module that targets generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request.

Windows Persistence via UserInitMprLogonScript

Author: Nayera

Type: Exploit

Pull request: #21032 contributed by Nayeraneru

Path: windows/persistence/userinit_mpr_logon_script

Description: This adds a new Windows persistence module that abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon.

HTTP and HTTPS Fetch

Authors: Brendan Watters, Chris John Riley, hdm x@hdm.io, sf stephen_fewer@harmonysecurity.com, and vlad902 vlad902@gmail.com

Type: Payload (Adapter)

Pull request: #21172 contributed by bwatters-r7

Description: This adds HTTP and HTTPS fetch payloads for 32-bit Windows targets.

Enhancements and features (8)

• #20999 from Aaditya1273 - Removes the legacy windows/local/persistence module, which has been superseded by the modernized windows/persistence/registry module. A moved_from alias ensures that existing scripts and workflows referencing the old module path are automatically redirected to the new one with a deprecation warning.
• #21090 from g0tmi1k - Updates multiple modules to make use of report_service().
• #21097 from g0tmi1k - Updates auxiliary/scanner/ftp/anonymous.rb to report the FTP service regardless of anonymous being enabled.
• #21144 from Nayeraneru - Improves YARD documentation for lib/msf/core/auxiliary/web/http.rb by documenting the Request and Response helpers, the public HTTP request APIs, and the internal custom-404/request-handling flow.
• #21145 from Nayeraneru - Adds YARD docs to lib/msf/core/auxiliary/auth_brute.rb, focusing on the AuthBrute mixin’s credential-building, brute-force state, logging, and cleanup helpers.
• #21150 from Nayeraneru - Adds YARD documentation to lib/msf/core/payload/adapter/fetch.rb to improve consistency and clarify how the fetch adapter generates URIs, builds fetch commands, and resolves platform-specific execution behavior.
• #21194 from bcoles - This updates the post/linux/gather/enum_protections module by adding documentation and additional checks for modern protections and applications.
• #21214 from adfoster-r7 - Adds additional validation to db_import before attempting to import values.
• #21048 from zeroSteiner - Not written - add release notes directly to the pull request, then regenerate. Do not edit manually without ensuring the pull request has the release note present.

Bugs fixed (6)

• #21004 from EclipseAditya - This fixes a bug in the #normalize_key method provided by the Windows Registry mixin. The result is correct behavior when using shell sessions to check for keys with trailing \ characters.
• #21138 from g0tmi1k - Fixes a bug that stopped the auxiliary/server/dhcp module from running as a background job when RHOSTS had been set.
• #21188 from adfoster-r7 - Fixes a crash on older Ruby versions when scanning binary files.
• #21199 from Hemang360 - Fixes crash in auxiliary/scanner/http/wp_perfect_survey_sqli when run against invalid or unreachable targets.
• #21207 from zeroSteiner - Fixes warning when running the linux/gather/enum_protections module.
• #21208 from adfoster-r7 - Fixes multiple warnings in modules that reported notes incorrectly.
• #21073 from Hemang360 - Fixes a bug where running exploit/multi/handler with a reverse HTTP/HTTPS payload multiple times on the same port caused cleanup issues.

Documentation added (6)

• #21149 from Adithyadspawar - Adds documentation to the following login scanners: ftp/bison_ftp_traversal, http/apache_activemq_traversal, http/coldfusion_version, http/drupal_views_user_enum and http/elasticsearch_traversal.
• #21186 from Devansh7006 - Adds documentation for the wordpress_pingback_access module.
• #21187 from Devansh7006 - Updates documentation for auxiliary/scanner/http/http_put.
• #21200 from dineshg0pal - Updates the example code snippet for writing Metasploit Go modules.
• #21201 from aryan9190 - Adds YARD documentation for Rex::Post::IO class.
• #21217 from dineshg0pal - Fixes minor errors in documentation files.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.124...6.4.125
• Full diff 6.4.124...6.4.125

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Persistence, dMSA Abuse & RCE Goodies

This week, we have received a lot of contributions from the community, such as h00die, Chocapikk and countless others, which is greatly appreciated. This week’s modules and improvements in Metasploit Framework range from new modules, such as dMSA Abuse (resulting in escalation of privilege in Windows Active Directory environments), authenticated and unauthenticated RCE modules, as well as many improvements and additions to the persistence modules and techniques.

New module content (13)

BadSuccessor: dMSA abuse to Escalate Privileges in Windows Active Directory

Authors: AngelBoy, Spencer McIntyre, and jheysel-r7

Type: Auxiliary

Pull request: #20472 contributed by jheysel-r7 

Path: admin/ldap/bad_successor

Description: This adds an exploit for "BadSuccessor" which is a vulnerability whereby a user with permissions to an Organizational Unit (OU) in Active Directory can create a Delegated Managed Service Account (dMSA) account in such a way that it can lead to the issuance of a Kerberos ticket for an arbitrary user.

Control Web Panel /admin/index.php Unauthenticated RCE

Authors: Egidio Romano and Lukas Johannes Möller

Type: Exploit

Pull request: #20806 contributed by JohannesLks 

Path: linux/http/control_web_panel_api_cmd_exec 

AttackerKB reference: CVE-2025-67888

Description: This adds a new module for Control Web Panel (CVE-2025-67888). The vulnerability is unauthenticated OS command injection through an exposed API. The modules require Softaculous to be installed.

Prison Management System 1.0 Authenticated RCE via Unrestricted File Upload

Author: Alexandru Ionut Raducu

Type: Exploit

Pull request: #20811 contributed by Xorriath 

Path: linux/http/prison_management_rce 

AttackerKB reference: CVE-2024-48594

Description: This adds a new module for Prison Management System 1.0 (CVE-2024-48594). The module requires admin credentials, which are subsequently used to exploit unrestricted file upload to upload a webshell.

udev Persistence

Author: Julien Voisin

Type: Exploit

Pull request: #20796 contributed by h00die 

Path: linux/persistence/udev

Description: This moves the udev persistence module into the persistence category and adds the persistence mixin.

n8n Workflow Expression Remote Code Execution

Author: Lukas Johannes Möller

Type: Exploit

Pull request: #20810 contributed by JohannesLks 

Path: multi/http/n8n_workflow_expression_rce

AttackerKB reference: CVE-2025-68613

Description: This adds a new module for n8n (CVE-2025-68613). The vulnerability is authenticated remote code execution in the workflow expression evaluation engine. The module requires credentials to create a malicious workflow that executes system commands via a JavaScript payload.

Web-Check Screenshot API Command Injection RCE

Author: Valentin Lobstein chocapikk@leakix.net 

Type: Exploit

Pull request: #20791 contributed by Chocapikk 

Path: multi/http/web_check_screenshot_rce 

AttackerKB reference: CVE-2025-32778

Description: Adds an exploit module for CVE-2025-32778, a command injection vulnerability in Web-Check's screenshot API endpoint which allows unauthenticated remote code execution by injecting shell commands via URL query parameters in the /api/screenshot endpoint.

Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key

Authors: OJ Reeves and h00die

Type: Exploit

Pull request: #20751 contributed by h00die 

Path: windows/persistence/accessibility_features_debugger

Description: This updates the Windows sticky keys post persistence module to use the new persistence mixin.

WMI Event Subscription Event Log Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_event_log

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Interval Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_interval

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Process Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_process

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

WMI Event Subscription Logon Timer Persistence

Authors: Nick Tyrer <@NickTyrer> and h00die

Type: Exploit

Pull request: #20706 contributed by h00die 

Path: windows/persistence/wmi/wmi_event_subscription_uptime

Description: Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.

Linux Chmod

Author: bcoles bcoles@gmail.com 

Type: Payload (Single)

Pull request: #20845 contributed by bcoles 

Path: linux/armle/chmod and linux/aarch64/chmod

Description: Adds Linux ARM 32-bit / 64-bit Little Endian chmod payloads.

Enhancements and features (7)

• #20706 from h00die - Updated the Windows WMI to use a new way of managing persistence modules in Metasploit Framework. The Windows WMI module has been split into four modules, each representing their own technique.
• #20751 from h00die - This updates the Windows sticky keys post persistence module to use the new persistence mixin.
• #20785 from Chocapikk - This adds Waku framework support to the existing react2shell module. Waku is a minimal React framework which differs slightly compared to Node.js. The module maintains backward compatibility with existing Next.js targets while adding Waku support through a modular framework configuration system.
• #20786 from zeroSteiner - This updates the module code to merge the target Arch and Platform entries into the module's top level data. Prior to this change module developers had to define Arch and Platform entries twice, once at the module level and again per individual target. This updates over 500 modules and removes that duplication.
• #20796 from h00die - This moves the udev persistence into the persistence category and adds the persistence mixin.
• #20853 from zeroSteiner - Bumps metapsloit-payloads to 2.0.239.
• #20855 from h00die - Adds additional ATT&CK references to persistence modules.

Bugs fixed (2)

• #20738 from Shubham0699 - This fixes an issue in the bailiwicked DNS modules that was causing the module to fail with a stack trace due to a programming error.
• #20847 from dwelch-r7 - This updates the auxiliary/scanner/ssh/ssh_login module to remove stale documentation, remove unnecessary characters that were printed in the output and update the correct documentation with the new information about key usage.

Documentation added (1)

• #20665 from basicallyabidoof - Adds documentation for the ipv6_neighbor_router_advertisement module.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.106...6.4.107
• Full diff 6.4.106...6.4.107

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro