Metasploit Update Adds Linux RC4 Exploit, BeyondTrust RCE & Registry Persistence Modules
Metasploit’s latest wrap-up on February 27, 2026, introduces new modules targeting critical flaws in enterprise tools and devices. This release emphasizes evasion techniques and persistence mechanisms alongside exploits for recent CVEs.
The update spotlights high-severity vulnerabilities with dedicated exploit modules. BeyondTrust’s products face unauthenticated command injection, while VoIP phones and AI tools expose path traversal risks leading to full RCE.
New Exploit and Evasion Modules
Developers added a Linux ARM64 RC4 packer for stealthy in-memory ELF execution with sleep-based evasion against detection tools. Massimo Bertocchi’s module (PR #20964) encrypts payloads and unpacks them entirely in RAM on aarch64 systems.​
BeyondTrust PRA/RS gains a new unauthenticated RCE module (PR #20978) exploiting CVE-2026-1731 through crafted WebSocket messages, building on a shared library for helper functions. Harsh Jaiswal and Jonah Burgess enhanced it to chain with legacy flaws. Attackers send malicious payloads to exposed endpoints for command execution as the privileged site user.
Grandstream GXP1600 modules (PR #20983) target CVE-2026-2329 with a stack overflow in the /cgi-bin/api.values.Get endpoint, yielding root shells on VoIP phones like GXP1610-1630. sfewer-r7 included post-exploitation for credential theft and SIP traffic proxying to intercept calls.
Ollama’s module (PR #21006) weaponizes CVE-2024-37032 by feeding path traversal in digest parameters, writing malicious .so libraries that load on process spawn for root RCE. Sagi Tzadik and Valentin Lobstein demonstrated rogue OCI registry hijacking.​
| CVE ID | Affected Product | Severity (CVSS) | Description | Metasploit Module Path |
|---|---|---|---|---|
| CVE-2026-1731 | BeyondTrust PRA/RS | 9.9 | Unauthenticated command injection via WebSocket; executes as site user. | linux/http/beyondtrust_pra_rs_command_injection |
| CVE-2026-2329 | Grandstream GXP1600 series | 9.3 | Stack buffer overflow in HTTP API; unauthenticated root RCE. | linux/http/grandstream_gxp1600_unauth_rce |
| CVE-2024-37032 | Ollama <0.1.34 | High (7.5+) | Path traversal in model registry; writes arbitrary files for RCE. | linux/http/ollama_rce_cve_2024_37032 |
Metasploit Persistence Mechanisms
Two new persistence modules focus on cross-platform survival. h00die’s WSL startup folder module (PR #20819) drops payloads in Linux environments that trigger on Windows boot, ideal for hybrid setups.​
The Windows Registry Active Setup module (PR #20841) abuses this feature to run payloads once per user, downgrading from admin but ensuring execution without repeated logins. It targets registry keys for automatic invocation on first user profile load.​
Enhancements and Fixes Across Modules
Nine pull requests refined existing tools. g0tmi1k updated vsftpd 2.3.4 backdoor (PR #20950) and UnrealIRCd 3.2.8.1 (PR #20952) with better check methods, Meterpreter support, and verbose logging. vsftpd now handles shell payloads reliably, and Unreal adds native sessions via “AB” trigger.
BeyondTrust RRCE check improved for legacy versions (PR #20938). SolarWinds and MS17-010 scanners auto-configure hosts and add metadata (PRs #20988, #20992). LDAP and GraphQL modules fixed crashes and false positives (PRs #21014, #21010).​
One fix in PR #21012 resolved GraphQL introspection handling invalid responses, cutting false positives in auxiliary scanners. Documentation expanded with Samba chain reply details (CVE-2010-2063, PR #20832), AI policy for GSoC (PR #20990), and Synology NAS examples (PR #21005).​
This release bolsters red team workflows with reliable evasion, fresh RCE chains, and polished classics, urging admins to patch exposed BeyondTrust, Grandstream, and Ollama instances immediately.
Site: https://cybersecuritypath.com
About the Author
