

























This week's release includes five new modules, including a full unauthenticated RCE chain for Paperclip AI and a VS Code extension persistence technique. On the post-exploitation side, the new windows/local/ntlm_relay_2_self module coerces the local machine account to authenticate via OpenEncryptedFileRaw (WebDAV), relays that NTLM authentication to a Domain Controller's LDAP service, then uses the resulting LDAP session to write Shadow Credentials and obtain a Kerberos service ticket as Administrator via S4U2Proxy, enabling PsExec back to itself for SYSTEM access.
On the enhancement side, the new MCP server plugin lets AI tools assist operators directly within a running msfconsole instance, and module check codes now return richer detail for users.
Authors: Sagilayani https://github.com/sagilayani and h00die-gr3y [email protected]
Type: Exploit
Pull request: #21547 contributed by h00die-gr3y
Path: linux/http/paperclipai_unauth_rce_cve_2026_41679
AttackerKB reference: CVE-2026-41679
Description: Adds an exploit module for CVE-2026-41679 which exploits Paperclip. An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. The entire chain is six API calls.
Author: bootstrapbool [email protected]
Type: Exploit
Pull request: #21371 contributed by bootstrapbool
Path: multi/http/xerte_unauthenticated_mediaupload
AttackerKB reference: CVE-2026-41459
Description: Exploits authentication failure (CVE-2026-34413), extension blacklist (CVE-2026-34415), and path traversal (CVE-2026-34414) vulnerabilities in Xerte Online Toolkits versions 3.15 and earlier.
Author: h00die
Type: Exploit
Pull request: #21465 contributed by h00die
Path: multi/persistence/vscode_extension
Description: Adds a new persistence module that achieves persistence by installing a malicious extension into a user's VS Code extensions directory. The next time the target opens VS Code, the extension executes and delivers a shell back to the attacker.
Author: jheysel-r7
Type: Exploit
Pull request: #21430 contributed by jheysel-r7
Path: windows/local/ntlm_relay_2_self
Description: Adds a module that exploits the NTLMRelay2Self attack. It requires a low-privilege user session on a Windows host.
Authors: 0xdeadbeefnetwork and bhaskarbhar
Type: Post
Pull request: #21472 contributed by bhaskarbhar
Path: linux/gather/cve_2026_46333_chage
AttackerKB reference: CVE-2026-46333
Description: Adds a post module that leverages CVE-2026-46333, a vulnerability in the Linux kernel whereby a race condition exists when tearing down a process. A local attacker can exploit this to obtain file handles they would not otherwise have access to. In the exploit, this is leveraged to leak the contents of the /etc/shadow file.
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。