Payload flying. Target: some open-source helpdesk running FreeScout 1.8.206 or older. Metasploit’s console spits out success — unauthenticated RCE, no sweat, thanks to a zero-width space (.ZWSP) tricking the .htaccess parser. Boom. Shell in hand.
Zoom out. This is Metasploit Wrap-Up for 04/03/2026, and it’s packed. New HTTP/HTTPS fetch payloads for x64 and x86 Windows — contributed by bwatters-r7 — mean you can now sling commands over the wire with finer control. Tailor that attack chain to your exact environment. Easy for first-timers to hack on, too; architecture’s wide open.
But the real heat? Exploit modules. Chocapikk dropped FreeScout’s doom via CVE-2026-28289. Here’s the meat:
This adds an exploit module for CVE-2026-28289, an unauthenticated remote code execution vulnerability in FreeScout versions prior or equal to 1.8.206.
No auth needed. ZWSP sneaks past filters — crafty. (Think about it: parsers choking on invisible Unicode? Classic web dev blind spot.)
How Does Grav CMS Hand Attackers the Keys?
x1o3’s turn. Grav CMS, that flat-file CMS darling for 1.1.x to 1.7.x with Admin Plugin up to 1.10.x. CVE-2025-50286. Authenticated, sure — but once you’re in as admin? Direct Install feature lets you ZIP up a malicious plugin. PHP payload executes as the web user. Dead simple.
Admins love one-click installs. Attackers love abusing them. Module path: multi/http/grav_admin_direct_install_rce_cve_2025_50286. Test it in your lab — watch it pop a shell.
Then g0tmi1k’s gem: multi/http/os_cmd_exec. Generic HTTP command execution. User input straight to system() via HTTP? This catches ‘em all. Meterpreter reverse shell, anyone? No more cobbling modules per vuln — one catches the pattern.
Persistence seals it. Nayeraneru’s HKCU\Environment\UserInitMprLogonScript abuse. Windows logon triggers your payload. Subtle. Undocumented corner of the registry — (most AV skips it, for now).
Here’s my take, the one you won’t find in the PRs: This persistence echoes Stuxnet-era tricks, but democratized. Back then, nation-states hoarded such registry ninja moves. Now? Any contributor with a GitHub account drops it into Metasploit. That’s the shift — open-source velocity turning elite TTPs into pentest staples. Defenders can’t keep up; patch one, ten more sprout.
Why Are These Web RCEs Exploding Now?
FreeScout, Grav — small fry? Nah. They’re everywhere: helpdesks, blogs, internal wikis. PHP shops lean on ‘em for speed. But speed skips sanitization. .htaccess bypass? Direct plugin uploads? It’s 2026, yet devs treat uploads like 1999.
Metasploit’s contributor army spots this faster than vendors. Five new modules, eight enhancements, six bugs squashed. g0tmi1k updates scanners to report services properly. Nayeraneru docs the HTTP mixin — YARD gold for noobs. bwatters-r7’s payloads? 32-bit Windows fetch over HTTPS. Obfuscation dreams.
Legacy cleanup, too. windows/local/persistence? Gone, aliased to the shiny new registry one. Smooth.
Bugs? Fixed FTP anon scanner quirks. db_import validation. All that jazz keeps the framework tight.
Does Metasploit’s Momentum Scare Off Defenders?
Short answer: Yeah. But here’s why it should thrill pentesters. The ‘how’ is in the adapters — fetch payloads now blanket Windows arches. Why? Because red teams live in mixed fleets. One module, endless tweaks.
Generic os_cmd_exec? Architectural masterstroke. HTTP endpoints leaking to shell — think misconfigs in Node, Python apps. Patterns over one-offs. Rapid7’s AttackerKB ties it to CVEs, but the module hunts blind.
Windows persistence. UserInitMprLogonScript — runs pre-logon shell. No files dropped. Registry-only. AV? Might miss if not behavioral. Prediction: Microsoft docs this by summer; blue teams script hunts. But by then, Nayeraneru’s onto the next.
Enhancements scream maturity. report_service() everywhere. YARD docs on auth_brute mixin? Bruteforce just got legible. enum_protections on Linux beefed up — SELinux, AppArmor checks.
Bugs nixed: No more import crashes. Release notes streamlined — zeroSteiner’s rule: PRs only.
Skeptical lens: Rapid7 spins this as community love. Fair. But it’s their payroll fueling half. Still, velocity wins. Proprietary tools like Cobalt Strike lag on open exploits — Metasploit’s free, forks easy.
Drop these in your next engagement. FreeScout? Scan for <=1.8.206. Grav? Check admin plugins. HTTP cmd sinks? Curl-fu time.
Defenders — inventory now. Patch. Segment. Assume breach.
🧬 Related Insights
- Read more: Quantum Cryptography’s Inventors Snag Turing Award—But Does It Fix Anything Real?
- Read more: LiteLLM’s Poisoned PyPI Packages Turned Dev Laptops Into Open Credential Safes
Frequently Asked Questions
What is the FreeScout RCE in Metasploit?
It’s CVE-2026-28289: unauthenticated exploit using ZWSP to bypass .htaccess, leading to RCE in versions <=1.8.206. Module: multi/http/freescout_htaccess_rce.
How does Windows UserInitMprLogonScript persistence work?
Abuses HKCU\Environment\UserInitMprLogonScript registry key to run payload at user logon. No disk artifacts. Module: windows/persistence/userinit_mpr_logon_script.
Is Metasploit’s generic HTTP cmd exec safe for testing?
Yes for labs — targets input passed directly to system() via HTTP. Gets Meterpreter. Use ethically; discloses vulns fast.
