The latest Metasploit update, released on February 27, 2026, brings significant firepower to security professionals and penetration testers.
The release introduces seven new modules, nine feature enhancements, and critical bug fixes.
Standout additions include unauthenticated remote code execution (RCE) exploits for Ollama, BeyondTrust, and Grandstream VoIP devices, alongside advanced evasion techniques for Linux environments.
Critical Remote Code Execution Exploits
This update delivers powerful exploit chains targeting high-severity vulnerabilities across enterprise and artificial intelligence infrastructure.
Ollama Model Registry Path Traversal (CVE-2024-37032): Carrying a CVSS score of 8.8, this flaw allows an attacker to exploit Ollama’s pull mechanism using path traversal sequences.
The module loads a rogue OCI registry to write malicious shared object files into the target. By forcing Ollama to spawn a new process, the malicious library is loaded, resulting in unauthenticated root RCE.
BeyondTrust PRA and RS Command Injection (CVE-2026-1731): This critical vulnerability carries a CVSS score of 9.9 and allows unauthenticated command injection in BeyondTrust Privileged Remote Access and Remote Support appliances.
The update also introduces a new BeyondTrust helper library to streamline future module development.
Grandstream GXP1600 Stack Overflow (CVE-2026-2329): Targeting VoIP devices, this critical flaw has a CVSS score of 9.3 and grants attackers a root session.
Rapid7 release includes one exploit module and two post-exploitation modules that leverage this access to steal credentials and proxy SIP traffic for packet capture.
| Module Name | CVE | Target | Module Type |
|---|---|---|---|
| Ollama Path Traversal RCE | CVE-2024-37032 | Linux / AI | Exploit |
| BeyondTrust PRA/RS RCE | CVE-2026-1731 | Appliances | Exploit |
| Grandstream GXP1600 RCE | CVE-2026-2329 | VoIP Devices | Exploit & Post |
| Linux RC4 Packer | N/A | ARM64 Linux | Evasion |
| WSL Startup Persistence | N/A | Windows / WSL | Exploit |
| Windows Active Setup | N/A | Windows | Exploit |
A major highlight is the introduction of the first Linux evasion module for ARM64 architectures.
The Linux RC4 Packer utilizes RC4 encryption, executes ELF binaries directly in memory, and employs sleep evasion to bypass detection mechanisms.
Additionally, new persistence modules were added for Windows and the Windows Subsystem for Linux (WSL). The WSL module writes payloads to the user’s startup folder.
Meanwhile, the Windows Registry Active Setup module launches payloads using native OS features. However, it downgrades permissions to user level and only executes once per user profile.
Key Enhancements and Fixes
Classic vulnerability modules received major quality-of-life improvements. The Unreal IRCd and vsftpd backdoor modules gained better check methods, native Meterpreter payloads, and verbose troubleshooting output.
The SolarWinds exploit was improved to automatically select the correct SRVHOST value, and a check method was added to the MS17-010 scanner for better automation metadata.
Additionally, the execution file was split to provide a more granular approach to handling different platforms and architectures. Finally, bug fixes were applied to the LDAP ESC and GraphQL Introspection scanners, eliminating crashes and false positives.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
