Metasploit Wrap-Up 03/27/2026

The Metasploit Framework released an update enhancing SMB NTLM relaying capabilities, improving compatibility with Linux smbclient and RubySMB for credential access operations. Three new exploit modules were introduced targeting specific vulnerabilities. These include an unauthenticated command injection flaw in ESC/POS printers (CVE-2026-23767), an unauthenticated remote code execution vulnerability in Eclipse Che machine-exec services affecting Red Hat OpenShift DevSpaces (CVE-2025-12548), and a command injection issue in Barracuda Email Security Gateway appliances via TAR filenames (CVE-2023-2868). While no specific threat actors are attributed to active campaigns leveraging these updates, the availability of these exploits within a public framework increases the risk of opportunistic attacks. Organizations utilizing affected systems should prioritize patching and network segmentation to mitigate potential unauthorized access and command execution risks associated with these newly weaponized vulnerabilities.

Better NTLM Relaying Functionality This week’s release brings an improvement to the SMB NTLM relay server. In the past, it’s support has been expanded with modules for relaying to HTTP (ESC8), MSSQL and LDAP while still receiving connections over the humble SMB service. Prior to this release, clients required a key behavior in how they handled SMB’s STATUS_NETWORK_SESSION_EXPIRED error code, in order to relay a single authentication attempt to multiple targets. Most clients other than Window’s “net use” do not handle these errors and were thus incompatible with Metasploit SMB NTLM relaying capabilities. Now, when a single target is specified, Metasploit alters its relaying strategy to forward the Net-NTLM messages immediately, making it compatible with a broader range of clients including Linux’s smbclient. In addition, the client in RubySMB was updated to mimic the behaviour of “net use” allowing authentication attempts from RubySMB to be relayed to multiple targets successfully. New module content (3) ESC/POS Printer Command Injector Author: FutileSkills Type: Auxiliary Pull request: #20478 contributed by futileskills Path: admin/printer/escpos_tcp_command_injector Description: Adds a new auxiliary module that exploits CVE-2026-23767, an unauthenticated ESC/POS command vulnerability in networked Epson-compatible printers. The vulnerability allows an attacker to send crafted commands over the network to inject custom ESC/POS print commands, which are used in various receipt printers. Eclipse Che machine-exec Unauthenticated RCE Authors: Greg Durys [email protected] and Richard Leach Type: Exploit Pull request: #20835 contributed by GregDurys Path: linux/http/eclipse_che_machine_exec_rce AttackerKB reference: CVE-2025-12548 Description: This adds a module for CVE-2025-12548, an unauthenticated RCE in the Eclipse Che machine-exec service. The vulnerability allows attackers to connect over WebSocket on port 3333 and execute commands via JSON-RPC without authentication. This affects Red Hat OpenShift DevSpaces environments. Barracuda ESG TAR Filename Command Injection Authors: Curt Hyvarinen, Mandiant, and cfielding-r7 Type: Exploit Pull request: #21033 contributed by Alpenlol Path: linux/smtp/barracuda_esg_tarfile_rce AttackerKB reference: CVE-2023-2868 Description: Adds exploit module for CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances. Filenames in TAR attachments are passed to shell commands without sanitization, allowing RCE via backtick injection. Enhancements and features (1) #21049 from h00die - This updates post modules to use an API that will expand multiple environment variables when set within the WritableDir option. Bugs fixed (5) #20967 from jheysel-r7 - This fix an issue that prevents successful authentication relay from Ruby SMB Client and smbclient. These clients are now compatible with Msf::Exploit::Remote::SMB::RelayServer. #21148 from adfoster-r7 - Fixes a bug where setting VERBOSE logging as false globally would still cause verbose logging to occur. #21169 from SaiSakthidar - This fixes a bug that was preventing Mach-O binaries from being identified due to a Ruby string encoding compatibility problem. #21173 from msutovsky-r7 - Fixes a crash when attempting to generate a vbs payload with msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=44 -f vbs. #21174 from adfoster-r7 - Fixes a bug when parsing msfconsole's -x flag when additional semicolons are present that are not meant to separate commands. i.e. msfconsole -x 'set option_name "a;b"'. Documentation You can find the latest Metasploit documentation on our docsite at docs.metasploit.com . Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.123...6.4.124 Full diff 6.4.123...6.4.124 If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

The Metasploit Framework released an update enhancing SMB NTLM relaying capabilities, improving compatibility with Linux smbclient and RubySMB for credential access operations. Three new exploit modules were introduced targeting specific vulnerabilities. These include an unauthenticated command injection flaw in ESC/POS printers (CVE-2026-23767), an unauthenticated remote code execution vulnerability in Eclipse Che machine-exec services affecting Red Hat OpenShift DevSpaces (CVE-2025-12548), and a command injection issue in Barracuda Email Security Gateway appliances via TAR filenames (CVE-2023-2868). While no specific threat actors are attributed to active campaigns leveraging these updates, the availability of these exploits within a public framework increases the risk of opportunistic attacks. Organizations utilizing affected systems should prioritize patching and network segmentation to mitigate potential unauthorized access and command execution risks associated with these newly weaponized vulnerabilities. Better NTLM Relaying Functionality This week’s release brings an improvement to the SMB NTLM relay server. In the past, it’s support has been expanded with modules for relaying to HTTP (ESC8), MSSQL and LDAP while still receiving connections over the humble SMB service. Prior to this release, clients required a key behavior in how they handled SMB’s STATUS_NETWORK_SESSION_EXPIRED error code, in order to relay a single authentication attempt to multiple targets. Most clients other than Window’s “net use” do not handle these errors and were thus incompatible with Metasploit SMB NTLM relaying capabilities. Now, when a single target is specified, Metasploit alters its relaying strategy to forward the Net-NTLM messages immediately, making it compatible with a broader range of clients including Linux’s smbclient. In addition, the client in RubySMB was updated to mimic the behaviour of “net use” allowing authentication attempts from RubySMB to be relayed to multiple targets successfully. New module content (3) ESC/POS Printer Command Injector Author: FutileSkills Type: Auxiliary Pull request: #20478 contributed by futileskills Path: admin/printer/escpos_tcp_command_injector Description: Adds a new auxiliary module that exploits CVE-2026-23767, an unauthenticated ESC/POS command vulnerability in networked Epson-compatible printers. The vulnerability allows an attacker to send crafted commands over the network to inject custom ESC/POS print commands, which are used in various receipt printers. Eclipse Che machine-exec Unauthenticated RCE Authors: Greg Durys [email protected] and Richard Leach Type: Exploit Pull request: #20835 contributed by GregDurys Path: linux/http/eclipse_che_machine_exec_rce AttackerKB reference: CVE-2025-12548 Description: This adds a module for CVE-2025-12548, an unauthenticated RCE in the Eclipse Che machine-exec service. The vulnerability allows attackers to connect over WebSocket on port 3333 and execute commands via JSON-RPC without authentication. This affects Red Hat OpenShift DevSpaces environments. Barracuda ESG TAR Filename Command Injection Authors: Curt Hyvarinen, Mandiant, and cfielding-r7 Type: Exploit Pull request: #21033 contributed by Alpenlol Path: linux/smtp/barracuda_esg_tarfile_rce AttackerKB reference: CVE-2023-2868 Description: Adds exploit module for CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances. Filenames in TAR attachments are passed to shell commands without sanitization, allowing RCE via backtick injection. Enhancements and features (1) #21049 from h00die - This updates post modules to use an API that will expand multiple environment variables when set within the WritableDir option. Bugs fixed (5) #20967 from jheysel-r7 - This fix an issue that prevents successful authentication relay from Ruby SMB Client and smbclient. These clients are now compatible with Msf::Exploit::Remote::SMB::RelayServer. #21148 from adfoster-r7 - Fixes a bug where setting VERBOSE logging as false globally would still cause verbose logging to occur. #21169 from SaiSakthidar - This fixes a bug that was preventing Mach-O binaries from being identified due to a Ruby string encoding compatibility problem. #21173 from msutovsky-r7 - Fixes a crash when attempting to generate a vbs payload with msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=44 -f vbs. #21174 from adfoster-r7 - Fixes a bug when parsing msfconsole's -x flag when additional semicolons are present that are not meant to separate commands. i.e. msfconsole -x 'set option_name "a;b"'. Documentation You can find the latest Metasploit documentation on our docsite at docs.metasploit.com . Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.123...6.4.124 Full diff 6.4.123...6.4.124 If you are a git user, you can clone...