Metasploit exploit modules just received a major February 2026 update that materially changes how red and blue teams validate enterprise defenses. Rapid7’s release adds unauthenticated remote code execution (RCE) testing against high‑impact targets (Ollama AI, BeyondTrust PRA/RS, Grandstream VoIP), introduces a Linux ARM64 evasion module powered by an RC4‑encrypted packer with in‑memory execution, and ships new Windows/WSL persistence capabilities.
For CISOs, security engineers, and SOC leaders, the message is clear: the attack surface now spans AI infrastructure, privileged access management, VoIP appliances, Linux on ARM, and dual‑stack Windows/WSL. This article breaks down what changed, why it matters, how these modules work at a high level, and how to align controls with NIST, MITRE ATT&CK, and incident response best practices—without enabling misuse.
What’s in the February 2026 Metasploit Release? (Primary keyword included)
Rapid7’s Metasploit Framework update introduces new exploit modules and supporting enhancements focused on unauthenticated attack paths, post‑exploitation, evasive payload delivery, and persistence across mixed environments.
Headline additions:
- Ollama AI (CVE-2024-37032): Path traversal leading to unauthenticated root RCE via a rogue OCI registry that writes malicious shared objects to the host, forcing a new process spawn.
- BeyondTrust PRA/RS (CVE-2026-1731): Unauthenticated command injection modules, plus a unified helper library to improve reliability and legacy coverage.
- Grandstream GXP1600 (CVE-2026-2329): Stack overflow exploit yielding root shells, with post‑exploitation for credential harvesting and SIP packet capture.
- Linux ARM64 evasion: First dedicated RC4‑encrypted packer with in‑memory ELF execution and sleep‑based evasion to reduce scanner visibility.
- Windows & WSL persistence: Abuse of Active Setup for stealth login‑time payloads and WSL startup folder for durable footholds after reboot.
- Quality‑of‑life updates: Improved checks and verbosity in classic vsftpd and Unreal IRCd backdoor modules; fixes for LDAP ESC scanner crashes and GraphQL introspection false positives.
Why it matters: The delta between red‑team capabilities and enterprise detect‑and‑respond maturity is widening—especially for unauthenticated exposure, data-in-motion exfiltration, and Linux-on-ARM targets now common in edge, IoT, and AI infrastructure.
How the New Modules Work (High-Level, Defender-Focused)
1) Ollama Path Traversal → Unauth Root RCE (CVE-2024-37032)
What it is: A flaw in the model pull mechanism accepts arbitrary path traversal sequences.
How it’s abused: Attackers can point Ollama to a rogue OCI registry and have it write attacker‑controlled shared objects on the host. The service then spawns a new process loading the malicious library—resulting in root RCE with no prior auth.
Defender watchpoints:
- Monitor OCI/registry egress and validate allowed registries.
- Enforce content trust and signature verification for model artifacts.
- Baseline Ollama service behavior; alert on unexpected process spawns and library loads.
2) BeyondTrust PRA/RS Command Injection (CVE-2026-1731)
What it is: An unauthenticated command injection affecting Privileged Remote Access and Remote Support components.
What’s new in Metasploit: Modernized modules with a shared helper library enhance reliability and extend coverage of older BeyondTrust flaws.
Defender watchpoints:
- Tighten external exposure of PRA/RS; require mTLS, IP allowlists, and private ingress.
- Inspect reverse proxy rules and WAF policies for command injection patterns.
- Accelerate vendor patch SLAs; enforce configuration drift checks.
3) Grandstream GXP1600 Stack Overflow (CVE-2026-2329)
What it is: A stack overflow in popular VoIP endpoints enabling root shells in lab conditions.
Post‑exploitation modules:
- Credential harvesting from device storage.
- Deep SIP traffic capture for network‑level analysis.
Defender watchpoints: - Treat VoIP appliances as Tier‑1 assets: network segmentation, 802.1X, DHCP snooping, and mgmt plane isolation.
- Disable unused services; enforce firmware pinning and prompt patching.
- Inspect SIP signaling and RTP streams for anomalies.
4) Linux ARM64 Evasion with RC4‑Encrypted Packer
What it is: An ARM64‑focused module that wraps payloads in an RC4 packer, executes ELF in memory, and uses sleep/jitter tactics to degrade automated detection.
Why it matters: ARM is pervasive in edge, appliances, IoT, and AI inference nodes. In‑memory payloads reduce file‑based IOC trails.
Defender watchpoints:
- Expand EDR coverage to ARM64; prefer sensors with memory introspection and kernel telemetry.
- Alert on suspicious mmap/ptrace patterns, anomalous /proc access, and LD_PRELOAD‑like behavior.
- Apply eBPF‑based detections and syscall correlation for in‑memory execution.
5) Persistence on Windows & WSL
Windows (Active Setup): Leverages a registry‑backed initialization sequence to launch payloads silently on user logon.
WSL startup folder: Drops artifacts to survive reboots and restore connections once the subsystem initializes.
Defender watchpoints:
- Audit Active Setup and Run/RunOnce; monitor registry write events (e.g., ATT&CK T1112, T1547 variants).
- Observe WSL filesystem & startup changes; restrict WSL where not required.
- Enforce LAPS, PAM, and Privileged Access Workstations (PAW) for administrative tasks.
Exploit Module Summary
| Target Platform | Vulnerability Details | Impact |
|---|---|---|
| Ollama AI | CVE‑2024‑37032 (Path Traversal) | Unauthenticated Root RCE |
| BeyondTrust PRA/RS | CVE‑2026‑1731 (Command Injection) | Unauthenticated RCE |
| Grandstream GXP1600 | CVE‑2026‑2329 (Stack Overflow) | Root Session & Credential Theft |
| Linux ARM64 | RC4‑Encrypted Packer / Sleep Evasion | In‑Memory Defense Bypass |
| Windows / WSL | Active Setup / Startup Folder | Stealth Persistence |
Quality‑of‑life improvements: enhanced checks for vsftpd and Unreal IRCd backdoors; bug fixes for LDAP ESC scanner crashes and GraphQL introspection false positives.
Real‑World Scenarios & Blue‑Team Implications
- AI/ML pipelines (Ollama): Model registries now represent software supply chain risk. Misconfigured pull paths can become root shells.
- Action: Enforce allowlisted registries, artifact signing, and attestation; continuous egress filtering to block rogue registries.
- Privileged access gateways (BeyondTrust): These systems sit at the core of admin workflows; unauth injection → domain‑wide compromise.
- Action: Private access (ZTNA/SASE), mTLS, strict authN; immediate patch rollouts and playbook rehearsals.
- VoIP estates (Grandstream): Desk phones are computers on your LAN. Root on a phone = network pivot + credential theft + fraud.
- Action: Isolate VoIP VLANs, SIP TLS, SRTP, firmware baselines, and NAC enforcement.
- Edge & ARM Linux: In‑memory payloads + RC4 packaging complicate file‑based detection.
- Action: Memory‑forensic telemetry, eBPF hooks, and behavior + network correlation instead of IOC‑only strategies.
Common Mistakes & Misconceptions
- “We block ransomware, so we’re safe.”
Reality: Unauth RCE and in‑memory execution bypass many ransomware‑centric controls. Focus on initial access & lateral movement. - “VoIP isn’t a priority.”
Reality: Compromised phones enable credential capture, call interception, and a pivot into internal networks. - “Our EDR covers everything.”
Reality: Many EDR agents are x86‑focused and lack deep ARM64 visibility. Validate coverage on edge and appliance classes. - “WSL is developer‑only, low risk.”
Reality: WSL persistence can quietly re‑establish C2 after reboot and evade Windows‑only detections.
Best Practices & Actionable Steps
1) Patch, Validate, and Monitor
- Ollama / BeyondTrust / Grandstream: Fast‑track vendor patches; verify with authenticated scans and config drift detection.
- Monitor for unexpected child processes, library loads, and registry mutations near Active Setup/WSL paths.
2) Zero Trust Controls (NIST SP 800‑207)
- Micro‑segment high‑value systems (PAM gateways, AI infra, VoIP controllers).
- Enforce strong authN, device posture, and least privilege for admin access.
3) MITRE ATT&CK Mapping
- Initial Access & Execution: Exploitation for Client/Remote Services (T1190), Command/Script Interpreter (T1059).
- Defense Evasion: Obfuscated/Compressed Files & Info (T1027), Modify Registry (T1112), Hide Artifacts (T1564).
- Persistence: Boot or Logon Autostart (T1547), WSL Abuse (mapped as platform‑specific technique).
- Credential Access & Discovery: Credential Dumping (T1003), Query Registry (T1012).
- Exfiltration & C2: Exfiltration Over Web Services (T1567), Encrypted Channel (T1573).
4) Network & Supply Chain Defenses
- Registry allowlists for model sources; enforce artifact signing and SBOMs for AI models.
- Apply DLP/ADX to watch for SIP dumps, credential archives, and unknown registry pulls.
5) Detection Engineering
- Windows: Alert on Active Setup creation/modification, unusual Run/RunOnce, and script interpreter child processes.
- Linux ARM64: Telemetry on in‑memory ELF loads, rc4‑like decode loops, and sleep/jitter beacons.
- VoIP: Netflow/PCAP for SIP REGISTER/INVITE anomalies and unexpected TFTP/HTTP firmware pulls.
6) Incident Response Readiness
- Update tabletop playbooks: unauth RCE in PAM/AI/VoIP, in‑memory payload triage, WSL persistence eradication.
- Pre‑position forensic capture for ARM64 and network SIP trace pipelines.
- Align breach comms for regulated data exposure (GDPR/PCI/HIPAA).
Risk–Impact Analysis for Enterprises
| Risk Area | Business Impact | Security Implications |
|---|---|---|
| Unauth RCE (AI, PAM, VoIP) | Service disruption, privileged takeover | Rapid domain impact, lateral movement, data theft |
| In‑Memory Execution (ARM64) | Low detection rates, longer dwell | Fewer artifacts, harder IR and attribution |
| Windows/WSL Persistence | Re‑compromise after cleanup | Hidden autoruns, user‑logon triggers |
| Supply Chain (Model Registries) | Integrity loss, IP exposure | Unsigned artifacts, rogue registries |
| Credential/SIP Harvesting | Account takeover, fraud risk | VoIP abuse, call interception, toll fraud |
Compliance & Regulatory Relevance
- NIST SP 800‑207 (Zero Trust): Micro‑segment privileged services; verify explicitly before trust.
- NIST SP 800‑53 Rev. 5: SI‑7 (Software/Tamper Protection), AC‑6 (Least Privilege), AU‑6 (Auditable events), CM‑6 (Config settings).
- ISO/IEC 27001:2022: A.8 (Asset mgmt), A.12 (Ops security), A.14 (System acquisition/dev).
- PCI DSS 4.0 / HIPAA / GDPR: Prompt patching, access controls, logging, and breach notification for data exposure.
Tools, Frameworks, and Standards to Leverage
- MITRE ATT&CK for detection mapping and purple‑team planning.
- NIST SP 800‑115 for technical security testing guidance.
- OWASP Testing Guide for web injection vectors (BeyondTrust front‑ends, proxies).
- SBOM/Artifact signing tools for AI model provenance verification.
FAQs
Q1. Are these Metasploit modules “point‑and‑shoot” exploits?
A. They are designed for legitimate testing in controlled environments. Production exploitation requires specific preconditions; defenders should focus on patching, segmentation, and telemetry rather than assuming immunity.
Q2. How do we detect the Linux ARM64 RC4 packer and in‑memory payloads?
A. Prioritize memory telemetry, syscall correlation (eBPF), and heuristics for decode‑then‑exec patterns and sleep/jitter beacons; do not rely solely on file‑based IOCs.
Q3. What’s the fastest mitigation for BeyondTrust PRA/RS command injection?
A. Patch immediately, move services behind private access/ZTNA, enforce mTLS/IP allowlists, and monitor reverse‑proxy/WAF logs for injection patterns.
Q4. How should we secure Ollama AI deployments?
A. Lock to approved registries, require artifact signing/attestation, monitor for unexpected process spawns, and restrict service accounts to least privilege.
Q5. Are VoIP phones really high‑risk?
A. Yes. Treat them as managed endpoints: isolate, patch, enable SIP TLS/SRTP, and monitor for config/firmware drift.
Q6. How do we find WSL‑based persistence?
A. Hunt for startup artifacts within WSL filesystems, registry entries tied to Active Setup, and anomalous user‑logon process trees.
Conclusion
The February 2026 Metasploit exploit modules update compresses multiple adversary advantages into a single release: unauthenticated RCE across strategic platforms, ARM64 in‑memory evasion that blunts file‑centric defenses, and dual‑stack persistence on Windows/WSL. For security leaders, the imperative is to patch fast, tighten exposure, and instrument deeply—especially around AI registries, PAM gateways, VoIP estates, and ARM‑based Linux.
