Rapid7 developers added and refined a Metasploit module for CVE-2026-41477, an unauthenticated IPC named pipe local privilege escalation flaw in Deskflow. The work tracks exploit support for a vulnerability that could allow a local attacker to elevate privileges through Deskflow's inter-process communication mechanism, and the issue was added to the Metasploit project workflow for further development.
The updated module was reworked to use direct kernel32 Railgun API calls for named pipe communication instead of cmd_exec and PowerShell wrappers, while also replacing PowerShell-based environment variable expansion with native path expansion. Developers removed the WMI launcher and intermediate PowerShell scripts, limited the module to Meterpreter sessions because Railgun is required, and added documentation with verified scenario output as the exploit support matured.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Development updates rewrote the module to use direct kernel32 Railgun API calls for named pipe communication, removed PowerShell and WMI-based components, restricted use to Meterpreter sessions, and added documentation with verified scenario output. The related pull request activity was published on April 23, 2026.
A pull request was opened to add support in Metasploit for CVE-2026-41477, described as an unauthenticated IPC named pipe local privilege escalation vulnerability in Deskflow. Project activity shows the item being added to the Metasploit Kanban board and moved to the Todo column.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.