Another week, another authentication bypass
Our humble Metasploit weekly(ish) blog has been blessed with a new network component vulnerability. The dynamic duo of @sfewer-r7 and @jburgess-r7 have discovered and authored the admin/networking/cisco_sdwan_vhub_auth_bypass module for CVE-2026-20182, a vulnerability gracing the Cisco Catalyst SD-WAN Controller. The devices, whose purpose is to control a software-defined (SD) wide-area-network (WAN) was unfortunately missing an extra A for authentication. An oversight that Cisco has duly patched.
Elsewhere this week, the HUSTOJ online judge platform has been caught failing to judge its own zip files (CVE-2026-24479), courtesy of a zip-slip RCE module from LoTuS and friends. Next, @Alpenlol has weaponized the small matter of Barracuda’s Email Security Gateway, happily eval()-ing the number format string inside an attached Excel file (CVE-2023-7102).
Our own @jburgess-r7 has been rather busy and also contributed a cPanel/WHM authentication bypass module that escalates straight to root via CRLF injection (CVE-2026-41940). And last, but not least, @h00die has gifted us a post module for Tenable Security Center that quietly extracts and cracks its stored credential hashes. Nevertheless, this module works only if your Tenable Security Center is using the same password you have been using since 2006.
New module content (5)
Cisco Catalyst SD-WAN Controller vHub Authentication Bypass
Authors: Crypto-Cat and sfewer-r7
Type: Auxiliary
Pull request: #21463 contributed by jburgess-r7
Path: admin/networking/cisco_sdwan_vhub_auth_bypass
AttackerKB reference: CVE-2026-20182
Description: This adds a new auxiliary module for CVE-2026-20182, an authentication bypass in the Cisco Catalyst SD-WAN Controller.
HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE
Authors: LoTuS and friends, ling101w, and oxagast
Type: Exploit
Pull request: #21165 contributed by oxagast
Path: linux/http/hustoj_problem_import_rce
AttackerKB reference: CVE-2026-24479
Description: This adds an exploit for CVE-2026-24479 which is a zip slip vulnerability in HustOJ, an open source online judge platform, prior to version 26.01.24.
Barracuda ESG Spreadsheet::ParseExcel Arbitrary Code Execution
Authors: Curt Hyvarinen, Mandiant, and haile01
Type: Exploit
Pull request: #21035 contributed by Alpenlol
Path: linux/smtp/barracuda_esg_spreadsheet_rce
AttackerKB reference: CVE-2023-7101
Description: Adds a new exploit module for CVE-2023-7102, an unauthenticated remote code execution vulnerability in Barracuda Email Security Gateway (ESG) appliances. The flaw resides in the Amavis scanner’s use of the Perl Spreadsheet::ParseExcel library, which allows eval injection via malicious Excel number format strings. The module uses Rex::OLE to craft a minimal BIFF8 XLS file with the payload embedded in a FORMAT record and delivers it via SMTP.
cPanel/WHM CRLF Injection Authentication Bypass RCE
Authors: Adam Kues, Crypto-Cat, Shubham Shah, and Sina Kheirkhah
Type: Exploit
Pull request: #21417 contributed by jburgess-r7
Path: multi/http/cpanel_whm_auth_bypass_rce
AttackerKB reference: CVE-2026-41940
Description: This adds an exploit module for cPanel/WHM authentication bypass leading to root RCE (CVE-2026-41940).
Tenable Security Center
Author: h00die
Type: Post
Pull request: #21177 contributed by h00die
Path: linux/gather/tenable_security_center
Description: This adds a linux post module for Tenable Security Center that will retrieve credential hashes and crack them.
Enhancements and features (6)
- #21292 from sjanusz-r7 – Updates the RPC notes command to allow data to return a hash value were applicable.
- #21305 from sjanusz-r7 – Updates the services RPC endpoint to additionally report the resource and parent services fields.
- #21414 from dledda-r7 – This backports the Python components of the Copy Fail (CVE-2026-31431) exploit to work with Python 2.7 interpreters, effectively supporting older targets.
- #21447 from jheysel-r7 – This updates Metasploit’s documentation to describe how a kerberoast attack can be performed entirely with Metasploit. It also updates the kerberoast module to correctly log the realm to the database regardless of if an existing LDAP session was used or not.
- #21458 from dwelch-r7 – Updates the Sinatra, Rack, and Thin web service dependencies to support an upcoming Rails 8 upgrade.
- #21460 from bhaskarbhar – This consolidates some code used by Windows exec payloads to provide a more consistent experience.
Bugs fixed (4)
- #21285 from sjanusz-r7 – Updates the RPC creds command to now also return the associated realm key and value.
- #21345 from g0tmi1k – This fixes an issue in the smb_enumshares module that prevented it from working against certain SMB 1 targets such as Metasploitable 2.
- #21474 from adfoster-r7 – Fixes a crash in msfdb init on Windows.
- #21475 from adfoster-r7 – Fix msfdb installation error on windows.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
