Metasploit Wrap-Up 04/10/2026

Speedup Improvements of MSFVenom & New Modules This week, we have added new modules to Metasploit Framework targeting Cisco Catalyst SD-WAN controllers and osTicket as well as updates and improvements to Windows service-for-user persistence, and LDAP/ADCS-related modules to automatically report related services resulting in an improved data stream, which can be queried by using the services command. We also landed an improvement to msfvenom’s bootup time, thanks to bcoles , resulting in an approximate two-times speedup. New module content (4) AD/CS Authenticated Web Enrollment Services Module Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7 Type: Auxiliary Pull request: #20752 contributed by bwatters-r7 Path: admin/http/web_enrollment_cert Description: This adds a new auxiliary/admin/http/web_enrollment_cert modules that allows certificates to be issued from an Active Directory Certificate Services Web Enrollment portal. Its usage is the same as the auxiliary/admin/http/icpr_cert module but enables operators to issue certificates when the web enrollment portal is accessible but the MS-ICPR service is not. Cisco Catalyst SD-WAN Controller Authentication Bypass Author: sfewer-r7 Type: Auxiliary Pull request: #21158 contributed by sfewer-r7 Path: admin/networking/cisco_sdwan_auth_bypass AttackerKB reference: CVE-2026-20127 Description: This adds an auxiliary module to exploit an authentication bypass vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller. Recently exploited in the wild as a zero-day. osTicket Arbitrary File Read via PHP Filter Chains in mPDF Authors: Arkaprabha Chakraborty @t1nt1nsn0wy and HORIZON3.ai Team Type: Auxiliary Pull request: #20948 contributed by ArkaprabhaChakraborty Path: gather/osticket_arbitrary_file_read AttackerKB reference: CVE-2026-22200 Description: This adds an auxiliary module to exploit, CVE-2026-22200, an authenticated file read vulnerability in osTicket. Windows Service for User (S4U) Scheduled Task Persistence - Event Trigger Authors: Brandon McCann "zeknox" [email protected] , Thomas McCarthy "smilingraccoon" [email protected] , and h00die Type: Exploit Pull request: #20814 contributed by h00die Path: windows/persistence/service_for_user/event Description: Updates the Windows service-for-user persistence technique. Enhancements and features (5) #20973 from bitstr3m-48 - This release enables command execution for non-interactive HWBridge sessions via the sessions -c flag. Additionally, the hwbridge/connect module now preserves parsed JSON error bodies from failed HTTP responses, which improves error messaging. #20977 from g0tmi1k - This updates the exploit/unix/webapp/php_eval module to have a FORMDATA datastore option, which adds HTTP POST-request support and makes the HEADERS datastore option consistent with other modules. #20979 from g0tmi1k - This updates the exploit/unix/webapp/php_include module with additional datastore options and make its usage more consistent with