Weekly Metasploit Update: Apache ActiveMQ RCE, Gogs Rebase RCE, and Windows Kernel Pointer Enum

When Open Source is a bit too Open Several fun modules landed this week, including an Apache RCE, Windows Kernel pointer collection, and Gogs RCE via naming. Leading off is Gogs' RCE that allows an attacker to execute commands by naming their branch --exec and requesting a rebase. Another useful...

CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)

Overview Rapid7 Labs conducted a zero-day research project against an HP Poly VVX 450 Voice over Internet Protocol VoIP phone. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-0826. A remote attacker can leverage CVE-2026-08...

CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation

One of the more persistent myths in security is that old bug classes become old problems. They don’t. They just show up in different places, under different conditions, and usually at the exact moment we’ve convinced ourselves not to pay attention to them. That’s part of what makes enterprise voi...

Metasploit Wrap Up 05/29/2026

More Linux LPEs Hark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a...

Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)

Overview On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker...

Authenticated RCE via Argument Injection in Gogs (NOT FIXED)

Overview Rapid7 Labs discovered a critical argument injection CWE-88 vulnerability in Gogs, a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 Critical. The vulnerability allows any authenticated user to achieve remote code execution RCE on the serv...

Metasploit Wrap Up 05/22/2026

Another week, another authentication bypass Our humble Metasploit weeklyish blog has been blessed with a new network component vulnerability. The dynamic duo of @sfewer-r7 and @jburgess-r7 have discovered and authored the admin/networking/ciscosdwanvhubauthbypass module for CVE-2026-20182, a...

Q1 2026 Threat Landscape Report: Zero-clicks, geopolitical tensions, and some wins for law enforcement

The first quarter of 2026 reinforced that attackers are moving faster, operating with greater coordination, and exploiting weaknesses before most organizations can respond effectively. From escalating geopolitical tensions to increasingly aggressive ransomware operations, the latest quarterly...

Operationalizing CTEM Faster: Build Surface Command Dashboards in Minutes

Modern attack surfaces don’t sit still. Cloud expansion, SaaS sprawl, identity complexity, and shadow IT are continuously reshaping organizational risk. For security leaders, visibility isn’t the challenge anymore, but actually operationalizing that visibility is. Surface Command was built to uni...

Metasploit Wrap-Up 05/15/2026

Weaponizing a text editor for fun and profit Gather round, dear readers, because today, we by we, we mean @h00die dropped the ultimate persistence mechanism: Vim plugin persistence. And honestly, calling it "persistence" feels redundant — Vim is already the most persistent thing ever. Somewhere,...

CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS

Overview On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0265, a signature verification vulnerability that facilitates authentication bypass on PAN-OS, the operating system that most Palo Alto Networks firewalls run. This vulnerability allows a remote unauthenticate...

The Dark Side of Efficiency: When Network Controllers Become "God Mode" for Attackers

Imagine you build a massive corporate campus with every security control money can buy. Blast resistant doors. Biometric scanners. Guards at every entrance. Maybe something similar to the infamous Death Star. On paper, it looks fantastic. Then, somewhere along the way, somebody decides the...

CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)

Overview While researching a critical authentication bypass vulnerability, CVE-2026-20127, which was exploited in-the-wild, Rapid7 Labs discovered a new authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller formerly known as vSmart, CVE-2026-20182. This new authentication...

When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise

Overview Attackers do not need to break into the front door when they can convince employees to open it for them through the tools they already trust. In April 2026, Rapid7 investigated an enterprise intrusion that began with a Microsoft Teams message from a fake “IT Support” account and quickly...

Patch Tuesday - May 2026

Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the...

Metasploit Wrap-Up 05/08/2026

Spring cleanup This week’s Metasploit updates focused on foundational improvements and expanded target reach. Key enhancements were made to the recently released Copy Fail exploit module, which now benefits from payload fixes in linux/x64/exec and linux/armle/exec. These changes expand its...

Zero Chaos: Scaling Detection Engineering at the Speed of Software, with Detection As Code

Every engineering team in your organization ships code through a pipeline. They branch, test, review, and deploy. If something breaks, they roll back. If someone asks "what changed?", the answer is in the commit history. This isn't heroic discipline to process; it's just how software gets built...

Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)

Overview On May 6, 2026, Palo Alto Networks published a security advisory for CVE-2026-0300, a critical unauthenticated buffer overflow vulnerability affecting PAN-OS PA-Series and VM-Series firewall appliances. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this...

Metasploit Wrap-Up 05/01/2026

MCP server This release our very own cdelafuente-r7 finished implementing the Metasploit MCP Server msfmcpd, bringing Model Context Protocol support to Metasploit Framework. MCP lets AI applications like Claude, Cursor, or your own custom agents query Metasploit data. Think of it as a middleware...

CVE-2026-41940: cPanel & WHM Authentication Bypass

Overview On April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM and WP Squared products. In the cPanel release notes, the bug was described as "an issue with session loading and saving." CVE-2026-41940, the identifier subsequently assigned on...

Metasploit Wrap-Up 04/25/2026

Check Method Visibility Metasploit has supported check methods for many years now. It’s not always desirable to jump straight into exploiting a vulnerability but instead to determine if the target is vulnerable. Metasploit tries to be very conservative with classifying a target as “vulnerable”...

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Overview For executive leadership, the emergence of Kyber ransomware represents a significant and immediate threat due to its specialized, dual-platform deployment capability targeting mission-critical virtualization infrastructure VMware ESXi and core Windows file systems. This cross-platform...

Project Glasswing and the Next Challenge for Defenders: Turning Faster Discovery into Faster Action

Anthropic’s Project Glasswing has sparked plenty of discussion about what AI might soon do for vulnerability discovery, but the more useful question for most security teams is how to prepare for, and more importantly seize the opportunity of, what comes next. As we wrote in our earlier blog, What...

Metasploit Wrap-Up 04/17/2026

Happy Friday - Seven New Metasploit Modules We’re happy to announce that Metasploit Framework had a big week, landing seven new modules alongside various bug fixes and enhancements. This week’s highlights include RCE modules targeting AVideo, openDCIM, Selenium Grid/Selenoid, and ChurchCRM. On th...

CVE-2026-33032: Nginx UI Missing MCP Authentication

Overview On March 30, 2026, a security advisory was published for a critical vulnerability affecting Nginx UI. Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, CVE-2026-33032, was reported in early Marc...

Patch Tuesday - April 2026

Microsoft is publishing 167 vulnerabilities on April 2026 Patch Tuesday. Microsoft is aware of exploitation in the wild for one of today’s vulnerabilities, and public disclosure for one other. Microsoft evaluates 19 of the vulnerabilities published today as more likely to see future exploitation...

Your Cloud Detection Strategy in 2026: What to Expect at the Global Cybersecurity Summit

Cloud environments have changed how security teams detect and respond to threats. Signals come from more places, identities are harder to track, and attacks rarely stay within a single system. For many teams, the challenge is no longer visibility. It is having the risk context to understand what...

Metasploit Wrap-Up 04/10/2026

Speedup Improvements of MSFVenom & New Modules This week, we have added new modules to Metasploit Framework targeting Cisco Catalyst SD-WAN controllers and osTicket as well as updates and improvements to Windows service-for-user persistence, and LDAP/ADCS-related modules to automatically report...

Metasploit Wrap-Up 04/03/2026

Additional Adapters and More Modules This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This...

New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay

Executive Overview Advanced persistent threats APTs are constantly and consistently changing tactics as network defenders plug holes in defenses. Static indicators of compromise IoCs for the BPFDoor have been widely deployed, forcing threat actors to get creative in their use of this particular...

Metasploit Wrap-Up 03/27/2026

Better NTLM Relaying Functionality This week’s release brings an improvement to the SMB NTLM relay server. In the past, it’s support has been expanded with modules for relaying to HTTP ESC8, MSSQL and LDAP while still receiving connections over the humble SMB service. Prior to this release, clien...

BPFdoor in Telecom Networks: Sleeper Cells in the Backbone

Executive overview The strategic positioning of covert access within the world’s telecommunication networks A months-long investigation by Rapid7 Labs has uncovered evidence of an advanced China-nexus threat actor, Red Menshen, placing some of the stealthiest digital sleeper cells the team has ev...

New Whitepaper: Exploiting Cellular-based IoT Devices

Rapid7 has released a whitepaper titled “The Weaponization of Cellular Based IoT Technology,” by Deral Heiland, principal security researcher, IoT, at Rapid7, and Carlota Bindner, lead product security researcher at Thermo Fisher Scientific. The paper examines how attackers with physical access c...

Rapid7 Completes BSI C5 Type 2 Examination: Stronger Cloud Security for DACH Organizations

If you're a security leader operating in Germany, Austria, or Switzerland, you already know that compliance isn't a checkbox. It's a competitive differentiator. Rapid7 has completed BSI C5 Type 2 attestation for the Rapid7 Command Platform, including Threat Command, and it's a milestone worth...

CVE-2026-3055: Citrix NetScaler ADC and NetScaler Gateway Out-of-Bounds Read

Overview On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC formerly Citrix ADC and NetScaler Gateway formerly Citrix Gateway products. This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS...

Metasploit Wrap-Up 03/20/2026

♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫ This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules this release: one targeting AVideo-Encoder’s getImage.php file and anothe...

Negotiating with the Board: Translating Active Risk into Financial Exposure

Security leaders rarely struggle to produce data. The challenge is turning that data into something the board can use to make decisions. Walk into a board meeting with a slide showing 1,200 critical vulnerabilities and 44 internet-facing assets, and you will likely see polite acknowledgment rathe...

CVE-2026-31381, CVE-2026-31382: Gainsight Assist Information Disclosure and Cross-Site Scripting (FIXED)

Overview Rapid7 Labs recently identified a chain of security vulnerabilities in the Gainsight Assist plugin and its interactions with the associated domain app.gainsight.com. These vulnerabilities include an Information Disclosure flaw CVE-2026-31381 and a Reflected Cross-Site Scripting XSS...

The Attack Cycle is Accelerating: Announcing the Rapid7 2026 Global Threat Landscape Report

The predictive window has collapsed. In 2025, high-impact vulnerabilities weren’t quietly accumulating risk. They were operationalized, and often within days. Today, Rapid7 Labs released the 2026 Global Threat Landscape Report, an in-depth analysis of how attacker behavior is evolving across...

Metasploit Wrap-Up 03/13/2026

No bad luck here: Friday the 13th brings new modules and a Metasploit Pro milestone This week’s Metasploit Framework release delivers three new modules across reconnaissance, evasion, and exploitation: LeakIX-powered discovery for exposed services and leaked data, a Linux x64 RC4 payload packer f...

The Face of Penetration Testing is Changing: Announcing Metasploit Pro 5.0.0

The role and demand for red-teaming capabilities are growing, as more exploitable CVEs make their way into criminal hands. Being proactive is no longer a capability that can be reserved for annual tests, but a continuous assessment to determine exposure and even through the validation of an...

Rapid7 Detection Coverage for Iran-Linked Cyber Activity

The tension arising out of the conflict in Iran is beginning to show signs of expanding beyond a strictly regional crisis. Following our recent published advisories, this communication is intended to outline and summarize the detection and enrichment coverage available to Rapid7 customers, broadl...

Patch Tuesday - March 2026

Microsoft is publishing 77 vulnerabilities this March 2026 Patch Tuesday. Microsoft is aware of public disclosure of two of today’s vulnerabilities, but without evidence of exploitation in the wild for any yet, so there are no Microsoft additions to CISA KEV today. Earlier in the month, Microsoft...

When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation

Overview Rapid7 Labs has identified and analyzed an ongoing, widespread compromise of legitimate, potentially highly trusted WordPress websites, misused by an unidentified threat actor to inject a ClickFix implant impersonating a Cloudflare human verification challenge CAPTCHA. The lure is design...

Metasploit Wrap-Up 03/06/2026

Encoder exposed! Some of our releases add new ways in; this one adds new ways to stay in. There are, of course, still new RCE toys in the box Tactical RMM via Jinja2 SSTI and an unauthenticated MajorDoMo exploit. Still, the underlying theme is payloads: more control over how they are packaged and...

Metasploit Wrap-Up 02/27/2026

No Prob-ollama This release brings some serious firepower with multiple new exploit modules and critical vulnerability support! The standout additions are the Ollama path traversal RCE CVE-2024-37032, a sophisticated exploit chaining arbitrary file writes into unauthenticated root RCE, and the...

Before the Breach: When digital footprints become a strategic cyber risk

Overview For years, organizations have prioritized strengthening technical defenses, including hardening networks, accelerating patch management, and expanding endpoint detection and response capabilities. Defensive systems have become more adaptive, identity has moved to the center of security...

Critical Cisco Catalyst Vulnerability Exploited in the wild (CVE-2026-20127)

Overview On February 25, 2026, Cisco disclosed a critical authentication bypass vulnerability in Cisco Catalyst SD‑WAN Controller and Cisco Catalyst SD‑WAN Manager, tracked as CVE‑2026‑20127, that allows an unauthenticated attacker to gain administrative access to affected systems. The Cisco...

Your MRI is Online: The Hidden Risks of Exposed DICOM Servers in UK Healthcare

Hospitals invest heavily in physical security: Clinical areas are access-controlled, sensitive rooms are locked, and patient records are governed by strict handling procedures. Network exposure does not always receive the same level of scrutiny. Rapid7 Labs identified more than 30 UK-based system...

The Post-RAMP Era: Allegations, Fragmentation, and the Rebuilding of the Ransomware Underground

Executive summary The January 2026 seizure of RAMP disrupted a major ransomware coordination hub, but it did not dismantle the ecosystem behind it. Instead, it destabilized trust and accelerated fragmentation across the underground. Rather than consolidating around a single successor, ransomware...