Metasploit Wrap-Up 03/20/2026

♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫ This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and another targeting FreePBX. Leading the enhancements is a granularization for LDAP queries allowing the omission of SACL data on security descriptors, as without the proper permissions the entire query of the security descriptor will fail if the SACL data is even just a part of the query. New module content (2) AVideo Encoder getImage.php Unauthenticated Command Injection Authors: Valentin Lobstein [email protected] and arkmarta Type: Exploit Pull request: #21076 contributed by Chocapikk Path: linux/http/avideo_encoder_getimage_cmd_injection AttackerKB reference: CVE-2026-29058 Description: Adds an exploit module for CVE-2026-29058, an unauthenticated OS command injection in AVideo Encoder's getImage.php endpoint. FreePBX filestore authenticated command injection Authors: Cory Billington and Valentin Lobstein [email protected] Type: Exploit Pull request: #20719 contributed by Chocapikk Path: unix/http/freepbx_filestore_cmd_injection AttackerKB reference: CVE-2025-64328 Description: Adds a new Metasploit exploit module for FreePBX filestore authenticated command injection (CVE-2025-64328) with automatic vulnerable-version detection and full documentation, and renames the XorcomCompletePbx HTTP mixin to CompletePBX updating affected modules accordingly. Enhancements and features (2) #20730 from zeroSteiner - This update modifies the ldap_query module to skip querying the SACL (System Access Control List) on security descriptors by default. This behavior is now controlled by a new option, LDAP::QuerySacl. This change is necessary when using a non-privileged user to query security descriptors via LDAP; otherwise, querying the SACL will cause the entire query to be blocked, resulting in no security descriptors being returned. #20997 from Nayeraneru - This adds a new OptTimedelta datastore option type. It enables module authors to specify a time duration and users to set it with a human-friendly syntax. Bugs fixed (7) #20960 from g0tmi1k - This adds a DHCPINTERFACE option to the DHCP server mixin, allowing modules that start that server to specify a particular interface to bind to. #21020 from g0tmi1k - This makes a small change to the docs by removing two lines that were previously duplicated. #21024 from Aaditya1273 - Fixes a bug in the JSON-RPC msfrpcd functionality that incorrectly required SSL certificates to be present even when disabled with msfrpcd -S. #21025 from Hemang360 - Fixes a crash when calling the HTTP cookie jar with non-string values. #21028 from SilentSobs - Fixes a crash when using the reload_all command no module is present. #21081 from Hemang360 - Fixes a crash when using the windows/exec with non-ascii characters. #21139 from jheysel-r7 -