Metasploit Wrap-Up 03/27/2026

Better NTLM Relaying Functionality This week’s release brings an improvement to the SMB NTLM relay server. In the past, it’s support has been expanded with modules for relaying to HTTP (ESC8), MSSQL and LDAP while still receiving connections over the humble SMB service. Prior to this release, clients required a key behavior in how they handled SMB’s STATUS_NETWORK_SESSION_EXPIRED error code, in order to relay a single authentication attempt to multiple targets. Most clients other than Window’s “net use” do not handle these errors and were thus incompatible with Metasploit SMB NTLM relaying capabilities. Now, when a single target is specified, Metasploit alters its relaying strategy to forward the Net-NTLM messages immediately, making it compatible with a broader range of clients including Linux’s smbclient. In addition, the client in RubySMB was updated to mimic the behaviour of “net use” allowing authentication attempts from RubySMB to be relayed to multiple targets successfully. New module content (3) ESC/POS Printer Command Injector Author: FutileSkills Type: Auxiliary Pull request: #20478 contributed by futileskills Path: admin/printer/escpos_tcp_command_injector Description: Adds a new auxiliary module that exploits CVE-2026-23767, an unauthenticated ESC/POS command vulnerability in networked Epson-compatible printers. The vulnerability allows an attacker to send crafted commands over the network to inject custom ESC/POS print commands, which are used in various receipt printers. Eclipse Che machine-exec Unauthenticated RCE Authors: Greg Durys [email protected] and Richard Leach Type: Exploit Pull request: #20835 contributed by GregDurys Path: linux/http/eclipse_che_machine_exec_rce AttackerKB reference: CVE-2025-12548 Description: This adds a module for CVE-2025-12548, an unauthenticated RCE in the Eclipse Che machine-exec service. The vulnerability allows attackers to connect over WebSocket on port 3333 and execute commands via JSON-RPC without authentication. This affects Red Hat OpenShift DevSpaces environments. Barracuda ESG TAR Filename Command Injection Authors: Curt Hyvarinen, Mandiant, and cfielding-r7 Type: Exploit Pull request: #21033 contributed by Alpenlol Path: linux/smtp/barracuda_esg_tarfile_rce AttackerKB reference: CVE-2023-2868 Description: Adds exploit module for CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances. Filenames in TAR attachments are passed to shell commands without sanitization, allowing RCE via backtick injection. Enhancements and features (1) #21049 from h00die - This updates post modules to use an API that will expand multiple environment variables when set within the WritableDir option. Bugs fixed (5) #20967 from jheysel-r7 - This fix an issue that prevents successful authentication relay from Ruby SMB Client and smbclient. These clients are now compatible with Msf::Exploit::Remote::SMB::RelayServer. #21148 from adfoster-r7 - Fixes a bug where