Metasploit Wrap-Up 04/03/2026

Additional Adapters and More Modules This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7 . Adding new architectures for adapted payloads is surprisingly easy and something a first-time contributor might want to look into! New modules added to Metasploit Framework also allow for targeting FreeScout and Grav CMS, both of which result in remote code execution. These modules were contributed by Chocapikk and x1o3 respectively. Thanks! Thanks to g0tmi1k , Metasploit Framework now also includes an exploit module, multi/http/os_cmd_exec, which allows for targeting generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. This can result in a Meterpreter shell on the remote target. To round this week off, we have a new persistence technique on Windows, thanks to Nayeraneru , which abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon. New module content (5) FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass Authors: Moses Bhardwaj (MosesOX) , Nir Zadok (nirzadokox) , Valentin Lobstein [email protected] , and offensiveee Type: Exploit Pull request: #21069 contributed by Chocapikk Path: multi/http/freescout_htaccess_rce AttackerKB reference: CVE-2026-27636 Description: This adds an exploit module for CVE-2026-28289, an unauthenticated remote code execution vulnerability in FreeScout versions prior or equal to 1.8.206. Grav CMS Admin Direct Install Authenticated Plugin Upload RCE Authors: binneko and x1o3 Type: Exploit Pull request: #21029 contributed by x1o3 Path: multi/http/grav_admin_direct_install_rce_cve_2025_50286 AttackerKB reference: CVE-2025-50286 Description: This adds a new exploit module for CVE-2025-50286, an authenticated RCE vulnerability in Grav CMS 1.1.x–1.7.x with Admin Plugin 1.2.x–1.10.x. The module exploits the Direct Install feature to upload a malicious plugin ZIP and execute an arbitrary PHP payload as the web server user. Generic HTTP Command Execution Authors: egypt [email protected] and g0tmi1k Type: Exploit Pull request: #21023 contributed by g0tmi1k Path: multi/http/os_cmd_exec Description: Adds a new exploits/multi/http/os_cmd_exec module that targets generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. Windows Persistence via UserInitMprLogonScript Author: Nayera Type: Exploit Pull request: #21032 contributed by Nayeraneru Path: windows/persistence/userinit_mpr_logon_script Description: This adds a new Windows persistence module that abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon. HTTP and HTTPS Fetch Authors: