Channel Account Manager

Metasploit wrap-up 04/03/2026. Additional adapters and more modules. This week, Rapid7, Inc. added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7. Adding new architectures for adapted payloads is surprisingly easy and something a first-time contributor might want to look into! New modules added to Metasploit Framework also allow for targeting FreeScout and Grav CMS, both of which result in remote code execution. These modules were contributed by Chocapikk and x1o3 respectively. Thanks! Thanks to g0tmi1k, Metasploit Framework now also includes an exploit module, multi/http/os_cmd_exec, which allows for targeting generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. This can result in a Meterpreter shell on the remote target. To round this week off, Rapid7, Inc. has a new persistence technique on Windows, thanks to Nayeraneru, which abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon. New module content (5). FreeScout unauthenticated RCE via ZWSP .htaccess bypass. Authors: Moses Bhardwaj (MosesOX), Nir Zadok (nirzadokox), Valentin Lobstein [email protected], and offensiveee Type: Exploit Path: multi/http/freescout_htaccess_rce Description: This adds an exploit module for CVE-2026-28289, an unauthenticated remote code execution vulnerability in FreeScout versions prior or equal to 1.8.206. Grav CMS Admin Direct Install authenticated plugin upload RCE. Type: Exploit Pull request: #21029 contributed by x1o3 Path: multi/http/grav_admin_direct_install_rce_cve_2025_50286 Description: This adds a new exploit module for CVE-2025-50286, an authenticated RCE vulnerability in Grav CMS 1.1.x-1.7.x with Admin Plugin 1.2.x-1.10.x. The module exploits the Direct Install feature to upload a malicious plugin ZIP and execute an arbitrary PHP payload as the web server user. Generic HTTP command execution. Type: Exploit Path: multi/http/os_cmd_exec Description: Adds a new exploits/multi/http/os_cmd_exec module that targets generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. Windows persistence via userinitmprlogonscript. Type: Exploit Path: windows/persistence/userinit_mpr_logon_script Description: This adds a new Windows persistence module that abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon. HTTP and HTTPS fetch. Authors: Brendan Watters, Chris John Riley, hdm [email protected], sf [email protected], and vlad902 [email protected] Type: Payload (Adapter) Description: This adds HTTP and HTTPS fetch payloads for 32-bit Windows targets. Enhancements and features (8). * #20999 from Aaditya1273 - Removes the legacy windows/local/persistence module, which has been superseded by the modernized windows/persistence/registry module. A moved_from alias ensures that existing scripts and workflows referencing the old module path are automatically redirected to the new one with a deprecation warning. * #21090 from g0tmi1k - Updates multiple modules to make use of report_service. * #21097 from g0tmi1k - Updates auxiliary/scanner/ftp/anonymous.rb to report the FTP service regardless of anonymous being enabled. * #21144 from Nayeraneru - Improves YARD documentation for lib/msf/core/auxiliary/web/http.rb by documenting the Request and Response helpers, the public HTTP request APIs, and the internal custom-404/request-handling flow. * #21145 from Nayeraneru - Adds YARD docs to lib/msf/core/auxiliary/auth_brute.rb, focusing on the AuthBrute mixin's credential-building, brute-force state, logging, and cleanup helpers. * #21150 from Nayeraneru - Adds YARD documentation to lib/msf/core/payload/adapter/fetch.rb to improve consistency and clarify how the fetch adapter generates URIs, builds fetch commands, and resolves platform-specific execution behavior. * #21194 from bcoles - This updates the post/linux/gather/enum_protections module by adding documentation and additional checks for modern protections and applications. * #21214 from adfoster-r7 - Adds additional validation to db_import before attempting to import values. * #21048 from zeroSteiner - Not written - add release notes directly to the pull request, then regenerate. Do not edit manually without ensuring the pull request has the release note present. Bugs fixed (6). * #21004 from EclipseAditya - This fixes a bug in the #normalize_key method provided by the Windows Registry mixin. The result is correct behavior when using shell sessions to check for keys with trailing \ characters. * #21138 from g0tmi1k - Fixes a bug that stopped the auxiliary/server/dhcp module from running as a background job when RHOSTS had been set. * #21188 from adfoster-r7 - Fixes a crash on older Ruby versions when scanning binary files. * #21199 from Hemang360 - Fixes crash in auxiliary/scanner/http/wp_perfect_survey_sqli when run against invalid or unreachable targets. * #21207 from zeroSteiner - Fixes warning when running the linux/gather/enum_protections module. * #21208 from adfoster-r7 - Fixes multiple warnings in modules that reported notes incorrectly. * #21073 from Hemang360 - Fixes a bug where running exploit/multi/handler with a reverse HTTP/HTTPS payload multiple times on the same port caused cleanup issues. Documentation added (6). * #21149 from Adithyadspawar - Adds documentation to the following login scanners: ftp/bison_ftp_traversal, http/apache_activemq_traversal, http/coldfusion_version, http/drupal_views_user_enum and http/elasticsearch_traversal. * #21186 from Devansh7006 - Adds documentation for the wordpress_pingback_access module. * #21187 from Devansh7006 - Updates documentation for auxiliary/scanner/http/http_put. * #21200 from dineshg0pal - Updates the example code snippet for writing Metasploit Go modules. * #21201 from aryan9190 - Adds YARD documentation for Rex::Post::IO class. * #21217 from dineshg0pal - Fixes minor errors in documentation files. You can always find more documentation on its docsite at docs.metasploit.com. Get it. As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

RSAC 2026 | Rapid 7 - San Francisco, CA. Rapid7 & Boothtube secure the spotlight at RSAC 2026 with the Roaming AI Photo Bot. The RSA Conference (RSAC) remains the premier global stage for cybersecurity, where the industry's top innovators gather at the Moscone Center in San Francisco to redefine cloud security. At RSAC 2026, the competition for attention on the expo floor was higher than ever. Rapid7, a powerhouse in the tech field, wanted to provide a high-tech, interactive experience that mirrored their forward-thinking approach to security. Their goal was to move beyond the traditional booth setup and engage with attendees in a way that was impossible to ignore. To achieve this, Rapid7 partnered with Boothtube to introduce "Missy" - its sophisticated Roaming AI Photo Bot. Instead of waiting for lead traffic to come to them, Rapid7 took the experience directly to the crowd. Missy became an instant icebreaker, navigating the busy convention floor and drawing the eyes of thousands of cybersecurity professionals. The user journey was seamless and futuristic: guests would approach the bot, select their experience on the large screen, and strike a pose. Its advanced AI then went to work, instantly transforming the guest's photo into a hyper-styled, futuristic "Rapid Speedster" - a custom AI persona designed specifically for the Rapid7 theme. The result was a stunning, pro-quality masterpiece delivered in seconds, creating a "wow" factor that resonated across the entire Moscone Center. The future of mobile engagement: the Roaming AI Photo Bot. Missy is a unique innovation in the world of event technology. As a mobile robot equipped with a high-quality internal camera and a massive 4K touch-screen display, she offers a level of interaction that stationary booths simply cannot match. Throughout the three-day conference, Missy roamed flawlessly through the crowds, inviting attendees to engage with her customizable interface. * Custom AI Branding: The "Rapid Speedster" By leveraging generative AI, Boothtube provided guests with more than just a photo; Boothtube gave them a digital identity tied to the Rapid7 brand. Turning attendees into "Rapid Speedsters" created a deep, personalized connection to the conference theme, resulting in a high-value keepsake that guests were proud to keep. * Social Media Buzz & Lead Generation The activation was a powerhouse for digital growth. Rapid7 integrated the photos into a massive LinkedIn community activity, where guests shared their AI portraits to win exclusive prizes. This strategy drove immense brand awareness and generated high-quality social media content that extended the event's reach far beyond the physical venue. * Seamless Physical & Digital Delivery To provide maximum value, Missy delivered both instant digital copies for social sharing and high-quality physical prints on the spot. This dual-delivery system ensured that the Rapid7 message stayed on top of mind, whether the guest was scrolling through their phone or looking at their printed souvenir back at the office.