Rapid7 released a Metasploit update adding seven new modules plus multiple enhancements and fixes, including new exploit support for high-severity vulnerabilities affecting AI infrastructure, remote access appliances, and VoIP devices. The release highlights an Ollama model registry path traversal chain (CVE-2024-37032, CVSS 8.8) that abuses the pull mechanism to achieve arbitrary file write and escalate to unauthenticated root RCE, and a Grandstream GXP1600 stack overflow (CVE-2026-2329, CVSS 9.3) that can yield a root session and is paired with post-exploitation capabilities such as credential harvesting and SIP traffic interception/proxying.
The update also adds/updates an exploit for BeyondTrust Privileged Remote Access (PRA) / Remote Support (RS) appliances via unauthenticated command injection (CVE-2026-1731, CVSS 9.9), and introduces a BeyondTrust helper library to support future module development and port existing modules. On the evasion side, Metasploit gained a Linux ARM64 RC4 “packer” module (linux/aarch64/rc4_packer) featuring in-memory ELF execution and sleep-based evasion, while several existing modules and auxiliary scanners received quality-of-life improvements and bug fixes (e.g., improved checks and reduced false positives/crashes).

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
On 2026-02-27, the Metasploit Framework released an update adding seven new modules, including exploits for Ollama Model Registry path traversal RCE (CVE-2024-37032), BeyondTrust PRA/RS command injection (CVE-2026-1731), and Grandstream GXP1600 unauthenticated root RCE (CVE-2026-2329). The release also added Linux ARM64 RC4 packer evasion, new Windows and WSL persistence techniques, and multiple module improvements and bug fixes.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.