Metasploit Framework Update Delivers Critical RCE Modules and Evasion Tools

Home » News

Yash

News

2 min. read

Published on March 1, 2026

Metasploit released seven new modules on February 27, 2026 targeting high-value enterprise infrastructure. Penetration testers gain unauthenticated RCE exploits for Ollama AI servers, BeyondTrust appliances, and Grandstream VoIP devices. Rapid7 also introduced ARM64 Linux evasion and Windows persistence techniques. The update includes nine enhancements and multiple bug fixes.

Security teams now test critical vulnerabilities across AI, privileged access management, and telephony systems. Ollama’s path traversal flaw grants root shells. BeyondTrust appliances face command injection at CVSS 9.9. Grandstream VoIP devices yield root sessions plus credential harvesting.

Linux defenders face new challenges from the first ARM64 evasion payload. Windows admins must audit WSL startup folders and Active Setup registry entries. Classic modules received automation improvements.

New Exploit Modules

Three critical RCE modules headline the release.

Module Name	CVE ID	Target Platform	CVSS Score	Capabilities
Ollama Path Traversal RCE	CVE-2024-37032	Linux/AI Server	8.8	Root RCE via OCI
BeyondTrust PRA/RS Injection	CVE-2026-1731	PAM Appliances	9.9	Unauth command exec
Grandstream GXP1600 Overflow	CVE-2026-2329	VoIP Devices	9.3	Root + creds + SIP

Evasion and Persistence

New techniques challenge endpoint detection.

Technique	Platform	Method
Linux RC4 Packer	ARM64 Linux	RC4 encryption, memory ELF exec
WSL Startup	Windows/WSL	Startup folder payload drop
Windows Active Setup	Windows	Registry single-use persistence

RC4 packer evades sleep monitoring. WSL module survives reboots. Active Setup downgrades to user context.

Post-Exploitation Capabilities

Grandstream modules extend beyond initial access:

Credential harvesting from VoIP configs
SIP traffic proxy for packet capture
Root session establishment

BeyondTrust library accelerates future PAM testing.

Module Enhancements

Classic exploits improved significantly:

Unreal IRCd, vsftpd backdoor: Native Meterpreter, better checks
SolarWinds: Auto SRVHOST detection
MS17-010 scanner: Automation metadata added
LDAP ESC, GraphQL scanners: Crash fixes

Execution binary split supports multi-arch deployments.

Red Team Impact

Penetration testers gain:

AI infrastructure testing (Ollama)
Privileged access validation (BeyondTrust)
VoIP compromise simulation (Grandstream)
ARM64 Linux evasion capability
Native Windows persistence options

Blue teams validate defenses against latest techniques.

Pentester Workflow

Immediate Testing Priorities:

use exploit/linux/http/ollama_path_traversal
use exploit/linux/misc/beyondtrust_pra_rs_cmd_injection
use exploit/linux/misc/grandstream_gxp1600_overflow
use evasion/linux/arm64/rc4_packer

Update Metasploit immediately:

tmsfupdate

FAQ

What is the most critical new Metasploit module?

BeyondTrust PRA/RS at CVSS 9.9 unauthenticated RCE.

Which platforms gain new evasion coverage?

ARM64 Linux RC4 packer, first of its kind.

What VoIP vulnerability received modules?

Grandstream GXP1600 stack overflow CVE-2026-2329.

Do persistence modules survive reboots?

Yes, WSL startup and Active Setup both persist.

Where to download latest Metasploit?

metasploit

Yash

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links.

Improve this guide

User forum

0 messages

Sort by: