Metasploit Wrap-Up 04/17/2026

Happy Friday - Seven New Metasploit Modules We’re happy to announce that Metasploit Framework had a big week, landing seven new modules alongside various bug fixes and enhancements. This week’s highlights include RCE modules targeting AVideo, openDCIM, Selenium Grid/Selenoid, and ChurchCRM. On the post-exploitation side, Windows saw three new persistence techniques added as modules, targeting Telemetry scheduled tasks, PowerShell profiles, and Microsoft BITS. What a time to be alive as a Metasploit user! We wish you all a wonderful weekend and happy hacking. New module content (7) AVideo Unauthenticated SQL Injection Credential Dump Authors: Valentin Lobstein chocapikk@leakix.net and arkmarta Type: Auxiliary Pull request: #21075 contributed by Chocapikk Path: gather/avideo_catname_sqli AttackerKB reference: CVE-2026-28501 Description: Adds an auxiliary module for CVE-2026-28501, an unauthenticated SQL injection in AVideo <= 22.0, along with a new BenchmarkBasedBlind SQLi mixin class and blind extraction improvements. openDCIM install.php SQL Injection to RCE Author: Valentin Lobstein chocapikk@leakix.net Type: Exploit Pull request: #21034 contributed by Chocapikk Path: linux/http/opendcim_install_sqli_rce AttackerKB reference: CVE-2026-28517 Description: This PR adds a new exploit module for openDCIM that chains three vulnerabilities ( https://github.com/advisories/GHSA-mg2w-x76x-59h8 , https://github.com/advisories/GHSA-prmh-rp39-qc4m , https://github.com/advisories/GHSA-428h-8xhf-g3cw ) to achieve remote code execution. Selenium Grid/Selenoid Unauthenticated RCE Authors: Jon Stratton, Takahiro Yokoyama, Valentin Lobstein chocapikk@leakix.net , and Wiz Research Type: Exploit Pull request: #21003 contributed by Chocapikk Path: linux/http/selenium_greed_rce Description: This replaces the two separate Selenium Grid RCE modules (Chrome and Firefox) with a single unified module that auto-detects available browsers and selects the best attack vector. The module targets unauthenticated Selenium Grid and Selenoid instances, supporting two techniques: a Firefox profile handler injection that works on all Grid versions including the latest (never patched since 2021), and a Chrome binary override for Grid versions prior to 4.11.0 and all Selenoid versions. No authentication is required. ChurchCRM Database Restore RCE 6.2.0 Author: LucasCsmt Type: Exploit Pull request: #21095 contributed by LucasCsmt Path: multi/http/churchcrm_db_restore_rce AttackerKB reference: CVE-2025-68109 Description: Adds a new exploit module for CVE-2025-68109, targeting a file upload vulnerability inside ChurchCRM leading to an RCE. This module will work on version 6.2.0 of ChurchCRM and earlier. Windows Persistence Bits Job Author: h00die Type: Exploit Pull request: #20839 contributed by h00die Path: windows/persistence/bits Description: This adds a new persistence module that uses Microsoft Bits to maintain access to the system. Powershell Profile Persistence Author: madefourit Type: Exploit Pull request: #20933 contributed by madefourit Path: windows/persistence/powershell_profile Description: This adds a new persistence module that uses powershell profiles to maintain access. Windows Telemetry Persistence Author: h00die Type: Exploit Pull request: #20843 contributed by h00die Path: windows/persistence/telemetry Description: Adds a new persistence module, exploit/windows/persistence/telemetry, that abuses the Windows Telemetry scheduled task (Microsoft Compatibility Appraiser / CompatTelRunner) to establish persistence. The module writes a payload to disk and configures the telemetry task to execute it, resulting in a SYSTEM-level Meterpreter session either on the next scheduled run or immediately on demand. Requires an admin-level Meterpreter session on the target. Enhancements and features (11) #21078 from Chocapikk - Adds multiple improvements to the multi/http/churchcrm_install_unauth_rce module. #21085 from dledda-r7 - This refactors the Block API code used by Windows payloads to leverage a new version of the hashing algorithm. This also fixes a bug whereby the MaximumLength field was used when calculating UNICODE_STRING names when it should have been the Length field. #21236 from bcoles - Add riscv64le and riscv32le architecture support to the fileless fetch payload adapter. This enables in-memory ELF execution via memfd_create on RISC-V Linux targets without writing to disk. #21252 from zeroSteiner - Adds a new with_adcs_certificate_request method that now used by both the MsIcpr and WebEnrollment mixins that abstracts away the enrollment process and takes a block that performs the actual request. The result is consolidation of messages, post-processing of the successfully issued certificate. #21255 from mxnvel - This updates two Python payloads (cmd/unix/reverse_python and cmd/unix/reverse_python_ssl) to make the PythonPath option optional. When omitted, it defaults to a shim that will determine the appropriate version of Python at runtime using a small bash expression. #21275 from adfoster-r7 - Adds multiple improvements to the cve_2025_14847_mongobleed module, such as adding new a dedicated check method, improved compression support detection as only zlib can be exploited, and resolving other false positives. #21286 from Hemang360 - Adds a cleanup keyword argument to Msf::Post::File#mkdir so callers can skip automatic directory cleanup registration. It is very useful for when we create directories in persistence modules and want the directory to remain. #21289 from sjanusz-r7 - Updates the db.hosts RPC call to now additionally include the comments associated with the host. #21291 from sjanusz-r7 - Updates the module.info RPC call to now additionally include the notes associated with the module. #21304 from adfoster-r7 - Improves multiple auxiliary module check code messages and statuses. Bugs fixed (4) #21027 from SilentSobs - Fixes ELF shared object (elf-so) payload generation failing on 32-bit ARM Linux and RISC-V 32-bit LE targets. The _start entry point in the ARM LE template was landing at a non-word-aligned offset, which violates the architecture's 4-byte alignment requirement and caused the shared object to fail to load. The templates now use proper NASM align directives to ensure correct entry point alignment, and a similar fix is applied to the RISC-V 32-bit LE template. #21268 from adfoster-r7 - Fixes a crash with a small number of auxiliary modules when the check method was run and the vulnerability wasn't present. #21287 from zeroSteiner - Fixes the EXE templates that were rebuilt in https://github.com/rapid7/metasploit-framework/pull/20502 to work on legacy Windows targets like Server 2000 in case you find yourself in a combination hacking and time-travelling movie. #21309 from sfewer-r7 - Fixes a false positive in the fortinet_fortiweb_create_admin module when detecting the presence of an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface. Documentation added (1) #20843 from h00die - Adds a new persistence module, exploit/windows/persistence/telemetry, that abuses the Windows Telemetry scheduled task (Microsoft Compatibility Appraiser / CompatTelRunner) to establish persistence. The module writes a payload to disk and configures the telemetry task to execute it, resulting in a SYSTEM-level Meterpreter session either on the next scheduled run or immediately on demand. Requires an admin-level Meterpreter session on the target. You can always find more documentation on our docsite at docs.metasploit.com . Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.126...6.4.128 Full diff 6.4.126...6.4.128 If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro