This week's release includes five new modules, including a full unauthenticated RCE chain for Paperclip AI and a VS Code extension persistence technique. On the post-exploitation side, the new windows/local/ntlm_relay_2_self module coerces the local machine account to authenticate via OpenEncryptedFileRaw (WebDAV), relays that NTLM authentication to a Domain Controller's LDAP service, then uses the resulting LDAP session to write Shadow Credentials and obtain a Kerberos service ticket as Administrator via S4U2Proxy, enabling PsExec back to itself for SYSTEM access.

On the enhancement side, the new MCP server plugin lets AI tools assist operators directly within a running msfconsole instance, and module check codes now return richer detail for users.

New module content (5)

Paperclip AI RCE using a chain of six API calls (CVE-2026-41679)

Authors: Sagilayani https://github.com/sagilayani and h00die-gr3y h00die.gr3y@gmail.com

Type: Exploit

Pull request: #21547 contributed by h00die-gr3y

Path: linux/http/paperclipai_unauth_rce_cve_2026_41679

AttackerKB reference: CVE-2026-41679

Description: Adds an exploit module for CVE-2026-41679 which exploits Paperclip. An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. The entire chain is six API calls.

Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload

Author: bootstrapbool bootstrapbool@gmail.com

Type: Exploit

Pull request: #21371 contributed by bootstrapbool

Path: multi/http/xerte_unauthenticated_mediaupload

AttackerKB reference: CVE-2026-41459

Description: Exploits authentication failure (CVE-2026-34413), extension blacklist (CVE-2026-34415), and path traversal (CVE-2026-34414) vulnerabilities in Xerte Online Toolkits versions 3.15 and earlier.

VS Code Extension Persistence

Author: h00die

Type: Exploit

Pull request: #21465 contributed by h00die

Path: multi/persistence/vscode_extension

Description: Adds a new persistence module that achieves persistence by installing a malicious extension into a user's VS Code extensions directory. The next time the target opens VS Code, the extension executes and delivers a shell back to the attacker.

NTLM Relay to Self (HTTP to LDAP) - Post Exploitation

Author: jheysel-r7

Type: Exploit

Pull request: #21430 contributed by jheysel-r7

Path: windows/local/ntlm_relay_2_self

Description: Adds a module that exploits the NTLMRelay2Self attack. It requires a low-privilege user session on a Windows host.

Linux Kernel __ptrace_may_access() Exit Race Change File Disclosure

Authors: 0xdeadbeefnetwork and bhaskarbhar

Type: Post

Pull request: #21472 contributed by bhaskarbhar

Path: linux/gather/cve_2026_46333_chage

AttackerKB reference: CVE-2026-46333

Description: Adds a post module that leverages CVE-2026-46333, a vulnerability in the Linux kernel whereby a race condition exists when tearing down a process. A local attacker can exploit this to obtain file handles they would not otherwise have access to. In the exploit, this is leveraged to leak the contents of the /etc/shadow file.

Enhancements and features (7)

• #21254 from golem445 - Nmap imports will include domain name if supplied by the user for the scan.
• #21259 from g0tmi1k - Adds a number of enhancements to msfconsole's search functionality by cleaning up some inconsistencies and giving users the option to hide the child elements of search results with the -c flag. Also introduces two global options, SearchSort and SearchChildMode, that users can set and forget in order to control ascending/descending search results and whether or not child items appear under search results respectively.
• #21367 from g0tmi1k - Adds a number of enhancements to the rexec_login module including more detailed output, a check for an rDNS failure, an update to the module description, and removal of duplicate IP:PORT printing.
• #21454 from adfoster-r7 - Updates many modules by adding additional details to the check codes that are returned by the #check method, which provides additional information for the user. Also updates the requirements of new modules to contain this extra information moving forward.
• #21512 from adfoster-r7 - Updates the Metasploit MCP tool to expose note information on Metasploit modules, as well as host comments.
• #21537 from dwelch-r7 - Adds a plugin to start and stop a Model Context Protocol (MCP) server within msfconsole. When compared to the standalone msfmcpd tool, this has the significant advantage of automatically loading the RPC server within the context of a running framework instance which enables AI tools to assist the operator without needing to restart Metasploit.
• #21542 from h00die - Updates the scanner/redis/redis_server module to output server INFO details as a readable table.

Bugs fixed (4)

• #21441 from dwelch-r7 - Improves the MCP server lifecycle control and enables graceful shutdowns by transitioning from Rack's handler to direct Puma server API management.
• #21564 from adfoster-r7 - Fixes a crash in the smb_version module when run against SMBv1 targets.
• #21570 from sjanusz-r7 - Fixes an issue where it was not possible to generate ARM Big Endian payloads.
• #21571 from dwelch-r7 - Deleted files are now excluded when running msfconsole reload commands.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.137...6.4.139
• Full diff 6.4.137...6.4.139

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Spring cleanup

This week’s Metasploit updates focused on foundational improvements and expanded target reach. Key enhancements were made to the recently released Copy Fail exploit module, which now benefits from payload fixes in linux/x64/exec and linux/armle/exec. These changes expand its capability, enabling the use of the cmd/unix/python/meterpreter/reverse_tcp payload on x64 targets and introducing support for ARMLE Linux. Additionally, the exploit/multi/http/shiro_rememberme_v124_deserialize module has been improved to allow operators to adjust the deserialization chain, enabling exploitation of a broader set of targets. Finally, several critical utility modules, including the FTP anonymous scanner and other FTP modules, received general fixes and updates.

New module content (1)

Anonymous FTP Access Detection

Authors: Matteo Cantoni goony@nothink.org and g0tmi1k

Type: Auxiliary

Pull request: #21372 contributed by g0tmi1k

Path: scanner/ftp/ftp_anonymous

AttackerKB reference: CVE-1999-0497

Description: This updates the FTP anonymous scanner module. Key changes include moving the module to align with other generic FTP modules, adding and updating CVE references and documentation notes, and cleaning up the output to be more verbose. Additionally, the module now reports service and vulnerability data to the database and stores proof-of-exploitation info in the loot upon a successful run.

Enhanced Modules (2)

Modules which have either been enhanced, or renamed:

• #21410 from inkognitobo - This improves the exploit/multi/http/shiro_rememberme_v124_deserialize module by adding a JAVA_GADGET_CHAIN datastore option that allows the operator to adjust the chain used for deserialization. This enables the module to exploit additional targets.
• #21404 from zeroSteiner - This extends the support of Copy Fail to ARMLE Linux targets.

Enhancements and features (4)

• #21342 from adfoster-r7 - Defers the loading of some dependencies to improve console boot time.
• #21372 from g0tmi1k - This updates the FTP anonymous scanner module. Key changes include moving the module to align with other generic FTP modules, adding and updating CVE references and documentation notes, and cleaning up the output to be more verbose. Additionally, the module now reports service and vulnerability data to the database and stores proof-of-exploitation info in the loot upon a successful run.
• #21380 from g0tmi1k - Updates multiple FTP modules to now register FTP service information in the database when successfully connecting to an FTP service.
• #21418 from kx7m2qd - This improves the platform-agnostic library used to obtain the OS architecture with support for shell sessions on Linux, BSD and Mac OSX.

Bugs fixed (5)

• #21314 from g0tmi1k - Fixes a crash when running the scanner/http/trace module with the database enabled and a vulnerability was reported.
• #21411 from zeroSteiner - This fixes a bug in the linux/x64/exec payload that was caused by the CMD datastore option being placed in the assembly source without being escaped.
• #21413 from tart0ru5 - Fixes a logic error in the exploits/linux/http/projectsend_unauth_rce module that incorrectly checked if a new user has been created.
• #21421 from adfoster-r7 - This adds extra validation to report_vuln and delete_vuln in Msf::DBManager::Vuln to make sure required fields are present and avoid a crash.
• #21425 from g0tmi1k - Fixes a bug when parsing FTP server responses.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.131...6.4.132
• Full diff 6.4.131...6.4.132

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro