Another week, another authentication bypass

Our humble Metasploit weekly(ish) blog has been blessed with a new network component vulnerability. The dynamic duo of @sfewer-r7 and @jburgess-r7 have discovered and authored the admin/networking/cisco_sdwan_vhub_auth_bypass module for CVE-2026-20182, a vulnerability gracing the Cisco Catalyst SD-WAN Controller. The devices, whose purpose is to control a software-defined (SD) wide-area-network (WAN) was unfortunately missing an extra A for authentication. An oversight that Cisco has duly patched.

Elsewhere this week, the HUSTOJ online judge platform has been caught failing to judge its own zip files (CVE-2026-24479), courtesy of a zip-slip RCE module from LoTuS and friends. Next, @Alpenlol has weaponized the small matter of Barracuda's Email Security Gateway, happily eval()-ing the number format string inside an attached Excel file (CVE-2023-7102).

Our own @jburgess-r7 has been rather busy and also contributed a cPanel/WHM authentication bypass module that escalates straight to root via CRLF injection (CVE-2026-41940). And last, but not least, @h00die has gifted us a post module for Tenable Security Center that quietly extracts and cracks its stored credential hashes. Nevertheless, this module works only if your Tenable Security Center is using the same password you have been using since 2006.

New module content (5)

Cisco Catalyst SD-WAN Controller vHub Authentication Bypass

Authors: Crypto-Cat and sfewer-r7

Type: Auxiliary

Pull request: #21463 contributed by jburgess-r7

Path: admin/networking/cisco_sdwan_vhub_auth_bypass

AttackerKB reference: CVE-2026-20182

Description: This adds a new auxiliary module for CVE-2026-20182, an authentication bypass in the Cisco Catalyst SD-WAN Controller.

HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE

Authors: LoTuS and friends, ling101w, and oxagast

Type: Exploit

Pull request: #21165 contributed by oxagast

Path: linux/http/hustoj_problem_import_rce

AttackerKB reference: CVE-2026-24479

Description: This adds an exploit for CVE-2026-24479 which is a zip slip vulnerability in HustOJ, an open source online judge platform, prior to version 26.01.24.

Barracuda ESG Spreadsheet::ParseExcel Arbitrary Code Execution

Authors: Curt Hyvarinen, Mandiant, and haile01

Type: Exploit

Pull request: #21035 contributed by Alpenlol

Path: linux/smtp/barracuda_esg_spreadsheet_rce

AttackerKB reference: CVE-2023-7101

Description: Adds a new exploit module for CVE-2023-7102, an unauthenticated remote code execution vulnerability in Barracuda Email Security Gateway (ESG) appliances. The flaw resides in the Amavis scanner's use of the Perl Spreadsheet::ParseExcel library, which allows eval injection via malicious Excel number format strings. The module uses Rex::OLE to craft a minimal BIFF8 XLS file with the payload embedded in a FORMAT record and delivers it via SMTP.

cPanel/WHM CRLF Injection Authentication Bypass RCE

Authors: Adam Kues, Crypto-Cat, Shubham Shah, and Sina Kheirkhah

Type: Exploit

Pull request: #21417 contributed by jburgess-r7

Path: multi/http/cpanel_whm_auth_bypass_rce

AttackerKB reference: CVE-2026-41940

Description: This adds an exploit module for cPanel/WHM authentication bypass leading to root RCE (CVE-2026-41940).

Tenable Security Center

Author: h00die

Type: Post

Pull request: #21177 contributed by h00die

Path: linux/gather/tenable_security_center

Description: This adds a linux post module for Tenable Security Center that will retrieve credential hashes and crack them.

Enhancements and features (6)

• #21292 from sjanusz-r7 - Updates the RPC notes command to allow data to return a hash value were applicable.
• #21305 from sjanusz-r7 - Updates the services RPC endpoint to additionally report the resource and parent services fields.
• #21414 from dledda-r7 - This backports the Python components of the Copy Fail (CVE-2026-31431) exploit to work with Python 2.7 interpreters, effectively supporting older targets.
• #21447 from jheysel-r7 - This updates Metasploit's documentation to describe how a kerberoast attack can be performed entirely with Metasploit. It also updates the kerberoast module to correctly log the realm to the database regardless of if an existing LDAP session was used or not.
• #21458 from dwelch-r7 - Updates the Sinatra, Rack, and Thin web service dependencies to support an upcoming Rails 8 upgrade.
• #21460 from bhaskarbhar - This consolidates some code used by Windows exec payloads to provide a more consistent experience.

Bugs fixed (4)

• #21285 from sjanusz-r7 - Updates the RPC creds command to now also return the associated realm key and value.
• #21345 from g0tmi1k - This fixes an issue in the smb_enumshares module that prevented it from working against certain SMB 1 targets such as Metasploitable 2.
• #21474 from adfoster-r7 - Fixes a crash in msfdb init on Windows.
• #21475 from adfoster-r7 - Fix msfdb installation error on windows.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.133...6.4.134
• Full diff 6.4.133...6.4.134

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Weaponizing a text editor for fun and profit

Gather round, dear readers, because today, we (by we, we mean @h00die) dropped the ultimate persistence mechanism: Vim plugin persistence. And honestly, calling it "persistence" feels redundant — Vim is already the most persistent thing ever. Somewhere, somehow, there will still be a Vim session open since 2011, because no one has figured out how to close it. So we are not so much establishing a foothold here as we are joining an existing hostage situation.

Elsewhere this week, Marvell's QConvergeConsole has been caught handing arbitrary files to unauthenticated visitors, as is tradition (CVE-2025-6793), GestioIP 3.5.7 ships an upload handler, so trusting it will cheerfully let an admin overwrite the handler with a backdoor and then dutifully execute it (CVE-2024-48760). And of course, we can't forget about Dolibarr ERP/CRM, which blocks PHP injections by checking — and we cannot stress this enough — by searching for string <?php. So @M4nu02 brought an elaborate module which changes <?php to <?PHP in the payload to successfully bypass this mitigation (CVE-2023-30253). Truly a wonderful time to be alive.

New module content (4)

Marvell QConvergeConsole Path Traversal (CVE-2025-6793)

Authors: Michael Heinzl and rgod

Type: Auxiliary

Pull request: #21322 contributed by h4x-x0r

Path: gather/qconvergeconsole_traversal

CVE reference: ZDI-25-450

Description: This adds a new auxiliary module that exploits a path traversal vulnerability (CVE-2025-6793) in Marvell QConvergeConsole to read arbitrary files from the target host. Marvell QConvergeConsole versions 5.5.0.85 and earlier are vulnerable, and no authentication is required to exploit the issue.

VIM Plugin Persistence

Author: h00die

Type: Exploit

Pull request: #21206 contributed by h00die

Path: linux/persistence/vim_plugin

Description: This adds a new Linux persistence module, which establishes persistence by writing a Vim plugin to the target user's ~/.vim/plugin/ directory. The next time that user launches Vim, the plugin executes the configured payload and opens a new session as that user.

GestioIP 3.5.7 Remote Command Execution

Authors: maxibelino and odeez24

Type: Exploit

Pull request: #21041 contributed by Odeez24

Path: multi/http/gestioip_rce

AttackerKB reference: CVE-2024-48760

Description: This adds an exploit module for an authenticated remote code execution vulnerability in GestioIP 3.5.7 (CVE-2024-48760). An attacker with admin credentials can abuse the unsafe upload handler at /api/upload.cgi to overwrite the script itself with a backdoor, which is then invoked to execute attacker-supplied commands.

Dolibarr ERP/CRM Authenticated Code Injection

Authors: Emanuele Cervelli and Tinexta Cyber Offensive Security Team

Type: Exploit

Pull request: #21362 contributed by M4nu02

Path: unix/http/dolibarr_cms_rce_cve_2023_30253

AttackerKB reference: CVE-2023-30253

Description: This adds a new exploit module for Dolibarr ERP/CRM (CVE-2023-30253), an authenticated PHP code injection vulnerability affecting versions before 17.0.1. The module abuses the Website module to inject a payload that bypasses Dolibarr's PHP tag filter by using uppercase <?PHP tags instead of the filtered lowercase form. Valid credentials with access to the Website module are required.

Enhancements and features (1)

• #20617 from Aaditya1273 - Adds an OptArray datastore option type to the framework. Previously multi valued datastore options were usually input as comma separated strings, now Metasploit devs have the option to use OptArray.

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.132...6.4.133
• Full diff 6.4.132...6.4.133

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Encoder exposed!

Some of our releases add new ways in; this one adds new ways to stay in.   There are, of course, still new RCE toys in the box (Tactical RMM via Jinja2 SSTI and an unauthenticated MajorDoMo exploit). Still, the underlying theme is payloads: more control over how they are packaged and delivered, and fewer "why did it die instantly?" moments. We, like our community of module authors, grew tired of having to do everything by hand. You can now pick encoders (and tweak their options) directly for exploit and payload modules without extra glue code. Less plumbing, more choosing-the-right-badchar-killer-at-runtime.

New module content (3)

Linux RC4 Packer with In-Memory Execution (x86)

Author: Massimo Bertocchi

Type: Evasion

Pull request: #20965 contributed by litemars

Path: linux/x86/rc4_packer

Description: Adds a new module evasion/linux/x86/rc4_packer that encrypts the generated payload with RC4, prepends an optional sleep-based delay (nanosleep), and decrypts/executes the payload at runtime via a compact precompiled stub.

Tactical RMM Jinja2 SSTI Remote Code Execution

Authors: Gabriel Gomes and Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #21017 contributed by Chocapikk

Path: linux/http/tacticalrmm_ssti_rce_cve_2025_69516

AttackerKB reference: CVE-2025-69516

Description: This adds an exploit module for CVE-2025-69516, a Jinja2 SSTI in Tactical RMM < 1.4.0 where the reporting template preview endpoint evaluates user-controlled templates without sandboxing, enabling authenticated RCE. The module logs in via the Knox API, auto-detects the API host from /env-config.js, and exploits the template preview feature.

MajorDoMo Remote Command Injection via cycle_execs Race Condition

Author: Valentin Lobstein chocapikk@leakix.net

Type: Exploit

Pull request: #21000 contributed by Chocapikk

Path: multi/http/majordomo_cmd_injection_rce

AttackerKB reference: CVE-2026-27175

Description: Adds three exploit modules for MajorDoMo, an open-source home automation platform. All three vulnerabilities are unauthenticated.

Enhancements and features (2)

• #20852 from dledda-r7 - This adds encoder options for exploit and payload modules. It allows the user to select the encoder and modify its options when using exploit or payload without the need of adding additional code into the module.

• #20987 from sjanusz-r7 - Allows AS-REP and Kerberoast modules to be ran against a pre-existing LDAP session as well as RHOST values.

Bugs fixed (5)

• #20740 from Chocapikk - This adds a new SRVSSL option to the HttpServer library, allowing SSL to be enabled for the HTTP server independently from the HTTP client.

• #20830 from SilentSobs - This fixes a portability issue in Msf::Post::File.stat where the code incorrectly assumed a GNU stat output format.

• #20940 from g0tmi1k - Fixes an issue where the > (file Redirect operator) causes the exploit to fail.  This updates the exploit to use tee to avoid that problematic operator and also increases debug verbosity, simplifies code, adds documentation, and adds support for fetch payloads to gain Linux Meterpreter sessions.

• #20946 from g0tmi1k - Corrects issue where the revision value provided in the http requests can be  outside the subset of revision id/value/numbers; a revision value that is not an actual revision value may result in a failed exploit.  Also, cleaned up logic and increased debugging verbosity.

• #21044 from adfoster-r7 - Fixes a crash when using db_import on a nessus with protocols other than tcp or udp.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.4.116...6.4.119

• Full diff 6.4.116...6.4.119

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro