The recent Metasploit update, unveiled on February 27, 2026, introduces a suite of tools designed to aid security professionals and penetration testers in their efforts. The update brings seven innovative modules, enhances nine existing features, and resolves several critical bugs.
Enhanced Exploit Modules
This release stands out with its introduction of remote code execution (RCE) exploits that target platforms such as Ollama, BeyondTrust, and Grandstream VoIP devices. These exploits are particularly notable for their advanced evasion tactics in Linux settings.
The update addresses high-severity vulnerabilities in enterprise and AI infrastructures. For instance, the Ollama Model Registry Path Traversal (CVE-2024-37032) flaw, with a CVSS score of 8.8, enables attackers to manipulate Ollama’s pull mechanism, leading to unauthorized root RCE after loading a malicious library.
Critical Vulnerabilities Addressed
Among the critical vulnerabilities, the BeyondTrust Privileged Remote Access and Remote Support appliances are affected by a command injection flaw (CVE-2026-1731), boasting a CVSS score of 9.9. This vulnerability allows unauthorized command execution, and the update incorporates a new helper library to facilitate future module development.
Additionally, the Grandstream GXP1600 VoIP devices face a stack overflow vulnerability (CVE-2026-2329), with a CVSS score of 9.3. This flaw enables attackers to gain root access, leading to potential credential theft and SIP traffic monitoring.
New Evasion and Persistence Features
A noteworthy addition is the first Linux evasion module for ARM64 architectures, utilizing RC4 encryption and memory execution of ELF binaries. The module employs sleep evasion to circumvent detection.
Furthermore, persistence modules for Windows and the Windows Subsystem for Linux (WSL) have been introduced. The WSL module implements payloads within the user’s startup folder, whereas the Windows Active Setup module uses OS features for payload execution, albeit with reduced permissions.
Improvements and Bug Fixes
Classic modules have received significant enhancements, including improved checking methods and native Meterpreter payloads for the Unreal IRCd and vsftpd backdoor modules. The SolarWinds exploit now automatically selects the appropriate SRVHOST, and a new check method enhances MS17-010 automation.
Bug fixes have also been applied to the LDAP ESC and GraphQL Introspection scanners, resolving previous issues such as crashes and false positives. These updates ensure a more efficient and reliable security testing process.
Stay updated with daily cybersecurity news by following us on Google News, LinkedIn, and X. Reach out to feature your cybersecurity stories.
