SolarWinds Web Help Desk
Our very own sfewer-r7 has developed an exploit module for the SolarWinds Web Help Desk vulnerabilities CVE-2025-40536 and CVE-2025-40551. On successful exploitation the session will be as running as NT AUTHORITY\SYSTEM. For more information see the Rapid7’s SolarWinds Web Help Desk Vulnerabilities guidance.
Contributions
A big thanks to our contributors who have been adding some great content this release. rudraditya21 has added MITRE ATT&CK metadata to lots of our existing modules. Chocapikk has added support for GHSA (GitHub Security Advisory) references support in Metasploit modules. rudraditya21 also added a change which adds negative caching to the LDAP entry cache, which will now mean missing objects are recorded. It also introduces a missing-entry sentinel, tracks misses per identifier type, and updates AD lookup helpers to short‑circuit on cached misses and record misses when a lookup returns no entry.
New module content (5)
FreeBSD rtsold/rtsol DNSSL Command Injection
Authors: Kevin Day and Lukas Johannes Möller
Type: Exploit
Pull request: #20798 contributed by JohannesLks
Path: freebsd/misc/rtsold_dnssl_cmdinject
AttackerKB reference: CVE-2025-14558
Description: This adds a new command-injection exploit in the FreeBDS rtsol/rtsold daemons (CVE-2025-14558). The vulnerability can be triggered by the Domain Name Search List (DNSSL) option in IPv6 Router Advertisement (RA) messages, which is passed to the resolvconf script without sanitization. It requires elevated privilege as it needs to send IPv6 packets. The injected commands are executed as root.
Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE
Authors: sfewer-r7 and watchTowr
Type: Exploit
Pull request: #20932 contributed by sfewer-r7
Path: linux/http/ivanti_epmm_rce
AttackerKB reference: CVE-2026-1340
Description: Adds an exploit module for the recent command injection vulnerability, CVE-2026-1281, affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron. Exploited in-the-wild as a zero-day by an unknown threat actor.
GNU Inetutils Telnet Authentication Bypass Exploit CVE-2026-24061
Authors: Kyu Neushwaistein and jheysel-r7
Type: Exploit
Pull request: #20929 contributed by jheysel-r7
Path: linux/telnet/gnu_inetutils_auth_bypass
AttackerKB reference: CVE-2026-24061
Description: This adds an exploit module for the authentication bypass in GNU Inetutils telnetd tracked as CVE-2026-24061. During negotiation, if the USER environment variable is passed in with a value of “-f root” authentication can be bypassed resulting in command execution as the root user.
SolarWinds Web Help Desk unauthenticated RCE
Authors: Jimi Sebree and sfewer-r7
Type: Exploit
Pull request: #20917 contributed by sfewer-r7
Path: multi/http/solarwinds_webhelpdesk_rce
AttackerKB reference: CVE-2025-40551
Description: This adds an exploit module for SolarWinds Web Help Desk vulnerable to CVE-2025-40536 and CVE-2025-40551. The exploit triggers session opening as NT AUTHORITY\SYSTEM and root.
Xerte Online Toolkits Arbitrary File Upload – Upload Image
Author: Brandon Lester
Type: Exploit
Pull request: #20849 contributed by haicenhacks
Path: multi/http/xerte_authenticated_rce_uploadimage
Description: This adds three RCE modules for Xerte Online Toolkits affecting versions 3.14.0 and <= 3.13.7. Two are unauthenticated while one is authenticated.
Enhancements and features (10)
- #20710 from Chocapikk – Adds support for GHSA (GitHub Security Advisory) and OSV (Open Source Vulnerabilities) references in Metasploit modules.
- #20886 from cdelafuente-r7 – Updates services to now also have child services. This allows for more detailed reporting for the services and vulns commands which can now report parent -> child services e.g. SSL -> HTTPS.
- #20895 from rudraditya21 – Adds negative caching to the LDAP entry cache so missing objects are recorded and subsequent lookups by DN, sAMAccountName, or SID return nil without re-querying the directory.
- #20934 from rudraditya21 – This adds MITRE ATT&CK tags to modules related to LDAP and AD CS. This enables users to find this content using Metasploit’s search functionality and the att&ck keyword.
- #20935 from rudraditya21 – Adds the MITRE ATT&CK tag T1558.003 to the kerberoast modules. This enables users to find this content using Metasploit’s search functionality and the att&ck keyword.
- #20936 from rudraditya21 – This adds MITRE ATT&CK tags to SMB modules related to accounts. This enables users to find the content by using Metasploit’s search capability and the att&ck keyword.
- #20937 from rudraditya21 – This adds MITRE ATT&CK tags to the two existing SCCM modules that fetch NAA credentials using different techniques. This enables users to find this content using Metasploit’s search functionality and the att&ck keyword.
- #20941 from rudraditya21 – Adds a MITRE ATT&CK technique reference to the Windows password cracking module to support ATT&CK‑driven discovery.
- #20942 from rudraditya21 – Adds MITRE ATT&CK technique references to getsystem, cve_2020_1472_zerologon, and atlassian_confluence_rce_cve_2023_22527 modules to support ATT&CK‑driven discovery.
- #20943 from g0tmi1k – Adds affected versions the description in the exploits/unix/webapp/twiki_maketext module.
Bugs fixed (7)
- #20599 from BenoitDePaoli – Fixes an issue where running services -p <ports> -u -R to set RHOSTS with values from the database could lead to a silently failing file not found error.
- #20775 from rmtsixq – Fixes a database initialization failure when using msfdb init with the –connection-string option to connect to PostgreSQL 15+ instances (e.g., Docker containers).
- #20817 from randomstr1ng – Adds a fix to ensure the output of sap_router_portscanner no longer causes module crashes.
- #20903 from jheysel-r7 – Fixes an issue so #enum_user_directories no longer returns duplicate directories.
- #20906 from rudraditya21 – Implements a fix for SSH command shells dying on cmd_exec when a trailing newline was present.
- #20953 from zeroSteiner – Improves the stability of socket channeling support for SSH sessions opened via scanner/ssh/ssh_login.
- #20955 from adfoster-r7 – Ensures the cleanup of temporarily created RHOST files when using the services -p <ports> -u -R command to set RHOST values from the database.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
