Metasploit Wrap-Up 04/10/2026

The Metasploit Framework released an update incorporating new exploit modules for critical vulnerabilities, including a zero-day authentication bypass in Cisco Catalyst SD-WAN Controllers (CVE-2026-20127) recently exploited in the wild. Additionally, modules targeting osTicket arbitrary file read (CVE-2026-22200) and Active Directory Certificate Services (ADCS) web enrollment were added. Enhancements to Windows service-for-user persistence and LDAP reporting improve attacker capability simulation. While no specific threat actors were identified, the weaponization of actively exploited vulnerabilities increases risk for unpatched systems. Organizations should prioritize patching Cisco SD-WAN and osTicket instances. Security teams must monitor for exploitation attempts leveraging these new public modules. The update also improves msfvenom performance and PHP Meterpreter functionality, enabling more sophisticated post-exploitation activities. Immediate mitigation involves applying vendor patches and restricting access to management interfaces. Defenders should audit ADCS configurations.

Speedup Improvements of MSFVenom & New Modules This week, we have added new modules to Metasploit Framework targeting Cisco Catalyst SD-WAN controllers and osTicket as well as updates and improvements to Windows service-for-user persistence, and LDAP/ADCS-related modules to automatically report related services resulting in an improved data stream, which can be queried by using the services command. We also landed an improvement to msfvenom’s bootup time, thanks to bcoles , resulting in an approximate two-times speedup. New module content (4) AD/CS Authenticated Web Enrollment Services Module Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7 Type: Auxiliary Pull request: #20752 contributed by bwatters-r7 Path: admin/http/web_enrollment_cert Description: This adds a new auxiliary/admin/http/web_enrollment_cert modules that allows certificates to be issued from an Active Directory Certificate Services Web Enrollment portal. Its usage is the same as the auxiliary/admin/http/icpr_cert module but enables operators to issue certificates when the web enrollment portal is accessible but the MS-ICPR service is not. Cisco Catalyst SD-WAN Controller Authentication Bypass Author: sfewer-r7 Type: Auxiliary Pull request: #21158 contributed by sfewer-r7 Path: admin/networking/cisco_sdwan_auth_bypass AttackerKB reference: CVE-2026-20127 Description: This adds an auxiliary module to exploit an authentication bypass vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller. Recently exploited in the wild as a zero-day. osTicket Arbitrary File Read via PHP Filter Chains in mPDF Authors: Arkaprabha Chakraborty <@t1nt1nsn0wy> and HORIZON3.ai Team Type: Auxiliary Pull request: #20948 contributed by ArkaprabhaChakraborty Path: gather/osticket_arbitrary_file_read AttackerKB reference: CVE-2026-22200 Description: This adds an auxiliary module to exploit, CVE-2026-22200, an authenticated file read vulnerability in osTicket. Windows Service for User (S4U) Scheduled Task Persistence - Event Trigger Authors: Brandon McCann "zeknox" [email protected] , Thomas McCarthy "smilingraccoon" [email protected] , and h00die Type: Exploit Pull request: #20814 contributed by h00die Path: windows/persistence/service_for_user/event Description: Updates the Windows service-for-user persistence technique. Enhancements and features (7) #20814 from h00die - Updates the Windows service-for-user persistence technique. #20973 from bitstr3m-48 - This release enables command execution for non-interactive HWBridge sessions via the sessions -c flag. Additionally, the hwbridge/connect module now preserves parsed JSON error bodies from failed HTTP responses, which improves error messaging. #20977 from g0tmi1k - This updates the exploit/unix/webapp/php_eval module to have a FORMDATA datastore option, which adds HTTP POST-request support and makes the HEADERS datastore option consistent with other modules. #20979 from g0tmi1k - This updates the exploit/unix/webapp/php_include module with additional datastore options and make its usage more consistent with the similar exploit/unix/webapp/php_eval module. #21031 from zeroSteiner - Enhances the Metasploit’s LDAP/ADCS-related modules to automatically report related services (LDAP, DCERPC/ICertPassage/ADCS CA) and to improve vulnerability reporting by associating findings with the affected LDAP object’s DN (and, for ADCS template findings, the template name) so results are uniquely keyed and easier to interpret. #21143 from SaiSakthidar - This bumps the Metasploit payloads to include changes that enable the PHP Meterpreter to open TCP server sockets. This enables operators to listen for inbound connections on compromised hosts and closes a feature gap between PHP and the other Meterpreters. #21229 from bcoles - This updates the msfvenom utility to use the metadata cache. The result is roughly 2x faster execution times when listing modules Bugs fixed (1) #21153 from Nayeraneru - This fixes an issue with some mutable constant datastore options. Using shared options like CHOST or CPORT are not changing visibility across modules anymore. Documentation added (1) #21221 from cgranleese-r7 - This PR improves module_doc_template.md with examples to better guide contributors. You can always find more documentation on our docsite at docs.metasploit.com . Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.125...6.4.126 Full diff 6.4.125...6.4.126 If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

The Metasploit Framework released an update incorporating new exploit modules for critical vulnerabilities, including a zero-day authentication bypass in Cisco Catalyst SD-WAN Controllers (CVE-2026-20127) recently exploited in the wild. Additionally, modules targeting osTicket arbitrary file read (CVE-2026-22200) and Active Directory Certificate Services (ADCS) web enrollment were added. Enhancements to Windows service-for-user persistence and LDAP reporting improve attacker capability simulation. While no specific threat actors were identified, the weaponization of actively exploited vulnerabilities increases risk for unpatched systems. Organizations should prioritize patching Cisco SD-WAN and osTicket instances. Security teams must monitor for exploitation attempts leveraging these new public modules. The update also improves msfvenom performance and PHP Meterpreter functionality, enabling more sophisticated post-exploitation activities. Immediate mitigation involves applying vendor patches and restricting access to management interfaces. Defenders should audit ADCS configurations. Speedup Improvements of MSFVenom & New Modules This week, we have added new modules to Metasploit Framework targeting Cisco Catalyst SD-WAN controllers and osTicket as well as updates and improvements to Windows service-for-user persistence, and LDAP/ADCS-related modules to automatically report related services resulting in an improved data stream, which can be queried by using the services command. We also landed an improvement to msfvenom’s bootup time, thanks to bcoles , resulting in an approximate two-times speedup. New module content (4) AD/CS Authenticated Web Enrollment Services Module Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7 Type: Auxiliary Pull request: #20752 contributed by bwatters-r7 Path: admin/http/web_enrollment_cert Description: This adds a new auxiliary/admin/http/web_enrollment_cert modules that allows certificates to be issued from an Active Directory Certificate Services Web Enrollment portal. Its usage is the same as the auxiliary/admin/http/icpr_cert module but enables operators to issue certificates when the web enrollment portal is accessible but the MS-ICPR service is not. Cisco Catalyst SD-WAN Controller Authentication Bypass Author: sfewer-r7 Type: Auxiliary Pull request: #21158 contributed by sfewer-r7 Path: admin/networking/cisco_sdwan_auth_bypass AttackerKB reference: CVE-2026-20127 Description: This adds an auxiliary module to exploit an authentication bypass vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller. Recently exploited in the wild as a zero-day. osTicket Arbitrary File Read via PHP Filter Chains in mPDF Authors: Arkaprabha Chakraborty <@t1nt1nsn0wy> and HORIZON3.ai Team Type: Auxiliary Pull request: #20948 contributed by ArkaprabhaChakraborty Path: gather/osticket_arbitrary_file_read AttackerKB reference: CVE-2026-22200 Description: This adds an auxiliary module to exploit, CVE-2026-22200, an authenticated file read vulnerability in osTicket. Windows Service for User (S4U) Scheduled Task Persistence - Event Trigger Authors: Brandon McCann "zeknox" [email protected] , Thomas McCarthy "smilingraccoon" [email protected] , and h00die Type: Exploit Pull request: #20814 contributed by h00die Path: windows/persistence/service_for_user/event Description: Updates the Windows service-for-user persistence technique. Enhancements and features (7) #20814 from h00die - Updates the Windows service-for-user persistence technique. #20973 from bitstr3m-48 - This release enables command execution for non-interactive HWBridge sessions via the sessions -c flag. Additionally, the hwbridge/connect module now preserves parsed JSON error bodies from failed HTTP responses, which improves error messaging. #20977 from g0tmi1k - This updates the exploit/unix/webapp/php_eval module to have a FORMDATA datastore option, which adds HTTP POST-request support and makes the HEADERS datastore option consistent with other modules. #20979 from g0tmi1k - This updates the exploit/unix/webapp/php_include module with additional datastore options and make its usage more consistent with the similar exploit/unix/webapp/php_eval module. #21031 from zeroSteiner - Enhances the Metasploit’s LDAP/ADCS-related modules to automatically report related services (LDAP, DCERPC/ICertPassage/ADCS CA) and to improve vulnerability reporting by associating findings with the affected LDAP object’s DN (and, for ADCS template findings, the template name) so results are uniquely keyed and easier to interpret. #21143 from SaiSakthidar - This bumps the Metasploit payloads to include changes that enable the PHP Meterpreter to open TCP server sockets. This enables operators to listen for inbound connections on compromised hosts and closes a feature gap between PHP and the other Meterpreters. #21229 from bcoles - This updates the msfvenom utility to use the metadata cache. The result is roughly 2x faster...