Metasploit Wrap-Up 05/15/2026

Weaponizing a text editor for fun and profit Gather round, dear readers, because today, we (by we, we mean @h00die) dropped the ultimate persistence mechanism: Vim plugin persistence. And honestly, calling it "persistence" feels redundant — Vim is already the most persistent thing ever. Somewhere, somehow, there will still be a Vim session open since 2011, because no one has figured out how to close it. So we are not so much establishing a foothold here as we are joining an existing hostage situation. Elsewhere this week, Marvell's QConvergeConsole has been caught handing arbitrary files to unauthenticated visitors, as is tradition (CVE-2025-6793), GestioIP 3.5.7 ships an upload handler, so trusting it will cheerfully let an admin overwrite the handler with a backdoor and then dutifully execute it (CVE-2024-48760). And of course, we can't forget about Dolibarr ERP/CRM, which blocks PHP injections by checking — and we cannot stress this enough — by searching for string ?php. So @M4nu02 brought an elaborate module which changes ?php to ?PHP in the payload to successfully bypass this mitigation (CVE-2023-30253). Truly a wonderful time to be alive. New module content (4) Marvell QConvergeConsole Path Traversal (CVE-2025-6793) Authors: Michael Heinzl and rgod Type: Auxiliary Pull request: #21322 contributed by h4x-x0r Path: gather/qconvergeconsole_traversal CVE reference: ZDI-25-450 Description: This adds a new auxiliary module that exploits a path traversal vulnerability (CVE-2025-6793) in Marvell QConvergeConsole to read arbitrary files from the target host. Marvell QConvergeConsole versions 5.5.0.85 and earlier are vulnerable, and no authentication is required to exploit the issue. VIM Plugin Persistence Author: h00die Type: Exploit Pull request: #21206 contributed by h00die Path: linux/persistence/vim_plugin Description: This adds a new Linux persistence module, which establishes persistence by writing a Vim plugin to the target user's ~/.vim/plugin/ directory. The next time that user launches Vim, the plugin executes the configured payload and opens a new session as that user. GestioIP 3.5.7 Remote Command Execution Authors: maxibelino and odeez24 Type: Exploit Pull request: #21041 contributed by Odeez24 Path: multi/http/gestioip_rce AttackerKB reference: CVE-2024-48760 Description: This adds an exploit module for an authenticated remote code execution vulnerability in GestioIP 3.5.7 (CVE-2024-48760). An attacker with admin credentials can abuse the unsafe upload handler at /api/upload.cgi to overwrite the script itself with a backdoor, which is then invoked to execute attacker-supplied commands. Dolibarr ERP/CRM Authenticated Code Injection Authors: Emanuele Cervelli and Tinexta Cyber Offensive Security Team Type: Exploit Pull request: #21362 contributed by M4nu02 Path: unix/http/dolibarr_cms_rce_cve_2023_30253 AttackerKB reference: CVE-2023-30253 Description: This adds a new exploit module for Dolibarr ERP/CRM (CVE-2023-30253), an authenticated