Check Method Visibility
Metasploit has supported check methods for many years now. It’s not always desirable to jump straight into exploiting a vulnerability but instead to determine if the target is vulnerable. Metasploit tries to be very conservative with classifying a target as “vulnerable” unless the vulnerability is leveraged as part of the check method, reserving the “appears” status for version checks. The different check codes a module is capable of returning and the logic to select among them varies from exploit to exploit and is not always the easiest to understand. Aligning with the consistent feedback that Metasploit has received that module actions should be more transparent, adfoster-r7 has been adding reasoning information en masse to the check codes returned by a variety of exploits. This information will help users understand why a particular vulnerability status was determined, making troubleshooting efforts easier and increasing confidence in the results.
Legacy SMB Improvements
This week, community member g0tm1lk made multiple improvements for legacy and non-Windows SMB targets. Version information is now more reliably extracted from targets running SMB 1, and a variety of minor bugs were fixed across multiple modules that would have affected users targeting systems the module was not intended to target as is often the case when the module is used to scan an entire network.
New module content (4)
Camaleon CMS Directory Traversal CVE-2024-46987
Authors: Goultarde, Peter Stockli, and bootstrapbool
Type: Auxiliary
Pull request: #21122 contributed by bootstrapbool
Path: gather/camaleon_download_private_file
AttackerKB reference: CVE-2024-46987
Description: This adds an auxiliary module to exploit an arbitrary file vulnerability, CVE-2024-46987, on Camaleon CMS >= 2.8.0 as well as 2.9.0.
Langflow RCE
Authors: Takahiro Yokoyama and weblover12
Type: Exploit
Pull request: #21260 contributed by Takahiro-Yoko
Path: multi/http/langflow_rce_cve_2026_27966
AttackerKB reference: CVE-2026-27966
Description: Adds exploit module for CVE-2026-27966, a prompt injection RCE vulnerability in Langflow < 1.8.0. By creating and sending a specially-crafted flow containing python code, the LangChain will execute that code because LangChain’s Read-Eval-Print Loop (REPL) is exposed by default and runs any Python code it is given.
WebDAV PHP Upload
Authors: g0tmi1k and theLightCosine theLightCosine@metasploit.com
Type: Exploit
Pull request: #21256 contributed by g0tmi1k
Path: multi/http/webdav_upload_php
AttackerKB reference: CVE-2012-10062
Description: Updates code and adds features: Linux support, check() method, and cleanup after exploit.
Linux Chmod
Author: bcoles bcoles@gmail.com
Type: Payload (Single)
Pull request: #21238 contributed by bcoles
Path: linux/loongarch64/chmod
Description: Adds a new linux/loongarch64/chmod payload to change the permissions of a specified file.
Enhancements and features (11)
- #21019 from g0tmi1k – This adds support for phpMyAdmin v3.1.x to the phpMyAdmin Config File Code Injection module (CVE-2009-1285). This also adds a check method.
- #21230 from bcoles – Reduces the memory footprint of the module metadata cache in Metasploit.
- #21231 from bcoles – Improves the performance of the module metadata cache as well as bug fixes.
- #21232 from bcoles – Add a method to discover writable directories on Unix targets using the find command.
- #21256 from g0tmi1k – Updates code and adds features: Linux support, check() method, and cleanup after exploit.
- #21347
Bugs fixed (4)
- #21327 from tair-m – Fixes a crash when loading HTTP modules.
- #21341 from g0tmi1k – This fixes multiple issues related to various SMB modules when targeting Samba.
- #21344 from adfoster-r7 – Fixes a bug when running the check method for scanner/http/elasticsearch_traversal against non-vulnerable targets.
- #21346 from adfoster-r7 – Fixes a false positive that was present in auxiliary/scanner/couchdb/couchdb_enum.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
