Metasploit Wrap-Up 04/17/2026

Happy Friday - Seven New Metasploit Modules We’re happy to announce that Metasploit Framework had a big week, landing seven new modules alongside various bug fixes and enhancements. This week’s highlights include RCE modules targeting AVideo, openDCIM, Selenium Grid/Selenoid, and ChurchCRM. On the post-exploitation side, Windows saw three new persistence techniques added as modules, targeting Telemetry scheduled tasks, PowerShell profiles, and Microsoft BITS. What a time to be alive as a Metasploit user! We wish you all a wonderful weekend and happy hacking. New module content (7) AVideo Unauthenticated SQL Injection Credential Dump Authors: Valentin Lobstein [email protected] and arkmarta Type: Auxiliary Pull request: #21075 contributed by Chocapikk Path: gather/avideo_catname_sqli AttackerKB reference: CVE-2026-28501 Description: Adds an auxiliary module for CVE-2026-28501, an unauthenticated SQL injection in AVideo = 22.0, along with a new BenchmarkBasedBlind SQLi mixin class and blind extraction improvements. openDCIM install.php SQL Injection to RCE Author: Valentin Lobstein [email protected] Type: Exploit Pull request: #21034 contributed by Chocapikk Path: linux/http/opendcim_install_sqli_rce AttackerKB reference: CVE-2026-28517 Description: This PR adds a new exploit module for openDCIM that chains three vulnerabilities ( https://github.com/advisories/GHSA-mg2w-x76x-59h8 , https://github.com/advisories/GHSA-prmh-rp39-qc4m , https://github.com/advisories/GHSA-428h-8xhf-g3cw ) to achieve remote code execution. Selenium Grid/Selenoid Unauthenticated RCE Authors: Jon Stratton, Takahiro Yokoyama, Valentin Lobstein [email protected] , and Wiz Research Type: Exploit Pull request: #21003 contributed by Chocapikk Path: linux/http/selenium_greed_rce Description: This replaces the two separate Selenium Grid RCE modules (Chrome and Firefox) with a single unified module that auto-detects available browsers and selects the best attack vector. The module targets unauthenticated Selenium Grid and Selenoid instances, supporting two techniques: a Firefox profile handler injection that works on all Grid versions including the latest (never patched since 2021), and a Chrome binary override for Grid versions prior to 4.11.0 and all Selenoid versions. No authentication is required. ChurchCRM Database Restore RCE 6.2.0 Author: LucasCsmt Type: Exploit Pull request: #21095 contributed by LucasCsmt Path: multi/http/churchcrm_db_restore_rce AttackerKB reference: CVE-2025-68109 Description: Adds a new exploit module for CVE-2025-68109, targeting a file upload vulnerability inside ChurchCRM leading to an RCE. This module will work on version 6.2.0 of ChurchCRM and earlier. Windows Persistence Bits Job Author: h00die Type: Exploit Pull request: #20839 contributed by h00die Path: windows/persistence/bits Description: This adds a new persistence module that uses Microsoft Bits to maintain access to the system. Powershell Profile Persistence Author: madefourit Ty