Rapid7 has released one of the most impactful Metasploit Framework updates in recent years, delivering seven new modules, nine feature enhancements, and a wave of fixes designed to improve exploit reliability and modernize offensive security capabilities. The February 27, 2026 update equips red teams, penetration testers, and security engineers with high‑severity RCE exploits, sophisticated Linux ARM64 evasion, and new Windows/WSL persistence techniques.
This article breaks down each module, explains how the new exploits work, and outlines what defenders and security leaders need to know.
Critical Remote Code Execution (RCE) Modules
The standout additions in the February 2026 update are three unauthenticated RCE modules targeting AI infrastructure, privileged access platforms, and VoIP devices.
1. Ollama Model Registry Path Traversal (CVE‑2024‑37032)
CVSS 8.8 — Unauthenticated Root RCE
Metasploit now includes a dedicated exploit module for Ollama, a rapidly growing AI model‑serving platform. The vulnerability stems from improper sanitization in the model pull mechanism, allowing path traversal sequences.
Attack chain:
- Attacker loads a rogue OCI registry
- Writes malicious
.solibraries into unintended paths - Forces Ollama to spawn a new process
- Process loads the malicious shared object
- Result: Unauthenticated root‑level RCE
This exploit demonstrates that even AI infrastructure is now a high‑value target for adversaries.
2. BeyondTrust PRA & RS Command Injection (CVE‑2026‑1731)
CVSS 9.9 — Unauthenticated Command Injection
The update introduces a powerful exploit for BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) appliances. This RCE flaw enables attackers to execute arbitrary commands without authentication.
Additionally, Metasploit added a new BeyondTrust helper library, improving exploit stability and streamlining future development.
Organizations relying on BeyondTrust should treat this as a critical patching priority.
3. Grandstream GXP1600 Stack Overflow (CVE‑2026‑2329)
CVSS 9.3 — Full Root Compromise on VoIP Devices
Grandstream’s office VoIP phones contain a stack overflow bug that can now be exploited via a new Metasploit module.
The update includes:
- 1 exploit module: Gain unauthenticated root access
- 2 post‑exploitation modules:
- Credential harvesting
- SIP traffic interception / packet capture
These new modules give attackers (and testers) full insight into sensitive VoIP communications.
New Evasion & Persistence Modules
1. Linux RC4 Packer (ARM64 Evasion)
This is Metasploit’s first Linux evasion module for ARM64 architectures. It enables:
- RC4‑encrypted payloads
- In‑memory ELF execution
- Sleep‑based detection evasion
This module helps operators test modern Linux defense controls—especially those in IoT, cloud, and edge devices.
2. WSL Startup Persistence (Windows Subsystem for Linux)
A new persistence mechanism that writes payloads directly to the user’s WSL startup folder, ensuring the implant runs automatically when WSL launches.
3. Windows Registry Active Setup Persistence
This module abuses Windows Active Setup, a native registry‑based startup mechanism.
Key characteristics:
- Executes payloads at user login
- Runs with downgraded user privileges
- Executes once per user profile
Enhancements & Bug Fixes
Multiple legacy modules and scanners received significant quality‑of‑life improvements:
✔ Unreal IRCd & vsftpd Backdoor
- Better check methods
- Native Meterpreter payloads
- Improved troubleshooting output
✔ SolarWinds Module
- Automatically selects the correct SRVHOST
✔ MS17‑010 Scanner
- Added metadata‑driven check method for improved automation
✔ LDAP ESC & GraphQL Scanners
- Crash and false‑positive issues resolved
Together, these updates make Metasploit’s scanning and exploitation workflows more reliable and production‑ready.
Module Summary Table
| Module Name | CVE | Target | Type |
|---|---|---|---|
| Ollama Path Traversal RCE | CVE‑2024‑37032 | Linux / AI | Exploit |
| BeyondTrust PRA/RS RCE | CVE‑2026‑1731 | Appliances | Exploit |
| Grandstream GXP1600 RCE | CVE‑2026‑2329 | VoIP Devices | Exploit & Post |
| Linux RC4 Packer | N/A | ARM64 Linux | Evasion |
| WSL Startup Persistence | N/A | Windows / WSL | Persistence |
| Windows Active Setup | N/A | Windows | Persistence |
What This Update Means for Defenders
Metasploit’s new capabilities reflect how real attackers operate:
- Unauthenticated RCE is now the default in many exploit paths
- AI infrastructure (Ollama) is becoming a frontline attack vector
- VoIP devices remain soft targets with high impact
- Linux ARM64 evasion is increasingly relevant in cloud and IoT ecosystems
- Windows & WSL persistence techniques mimic current threat actor TTPs
Enterprises should prioritize:
- Applying patches for BeyondTrust, Grandstream, and Ollama
- Monitoring for RC4‑packed ARM64 binaries
- Auditing WSL & Active Setup persistence locations
- Strengthening VoIP segmentation and logging
- Reviewing AI model registry security hygiene
Conclusion
Rapid7’s February 2026 Metasploit update marks a major milestone in offensive security tooling, offering deep coverage across AI platforms, privileged access systems, VoIP hardware, Linux ARM64 environments, and Windows persistence.
