Rapid7 Expands Metasploit With Powerful RCE, Evasion, and Persistence Tools in February 2026 Update

Listen to this Post

Featured Image

Introduction: A Major Step Forward for Offensive Security Testing

Rapid7 has rolled out a major February 2026 update to the Metasploit Framework, reinforcing its position as one of the most widely used offensive security platforms in the world.
This release focuses heavily on unauthenticated remote code execution, real-world exploit reliability, and modern post-exploitation techniques.
Security teams, red teams, and penetration testers gain access to new modules designed to reflect how attackers actually operate today, not theoretical lab scenarios.

The update introduces fresh exploit modules targeting AI infrastructure, privileged access platforms, and VoIP hardware, while also improving evasion and persistence across Linux and Windows systems.
Equally important, Rapid7 invested time in refining legacy modules and fixing backend issues that have long affected day-to-day usability.

Summary: What the February 2026 Metasploit Release Delivers

A Focus on Real-World Exploitation

The February 2026 Metasploit release emphasizes vulnerabilities that can be exploited without authentication.
This mirrors the threat landscape where attackers increasingly target exposed services rather than relying on stolen credentials.

Ollama AI Infrastructure RCE

One of the most notable additions is a new exploit module for Ollama, addressing CVE-2024-37032.
The flaw exists in Ollama’s model pull mechanism, which fails to properly sanitize path traversal sequences.

Path Traversal Leading to Root Access

By abusing this weakness, attackers can load a malicious OCI registry and write shared object files directly onto the host system.
Once written, the Ollama service spawns a new process that loads the malicious library, leading to unauthenticated root-level remote code execution.

BeyondTrust Command Injection Upgrade

Metasploit also received major enhancements to exploit modules targeting BeyondTrust Privileged Remote Access and Remote Support products.
These upgrades allow testers to reliably exploit CVE-2026-1731, a severe unauthenticated command injection vulnerability.

Improved Reliability for Older BeyondTrust Bugs

Rapid7 introduced a unified helper library for BeyondTrust modules.

This improves exploit stability and restores dependable support for older vulnerabilities that previously suffered from inconsistent behavior.

Grandstream VoIP Devices Under the Microscope

Another major focus is VoIP infrastructure, particularly Grandstream GXP1600 series devices.
A stack overflow vulnerability, tracked as CVE-2026-2329, can now be exploited to obtain a privileged root shell.

Deeper Post-Exploitation for VoIP Targets

Beyond initial access, Rapid7 added two post-exploitation modules for these devices.
These modules enable credential harvesting and deep SIP packet capture, giving red teams extended visibility into voice traffic and authentication flows.

Linux ARM64 Evasion Breakthrough

To help bypass modern endpoint detection, Metasploit introduced its first dedicated Linux evasion module built specifically for ARM64 systems.
The module uses RC4-encrypted packing, executes ELF payloads directly in memory, and leverages sleep-based evasion to reduce detection by automated scanners.

Persistence Across Windows and Linux

Persistence also received major attention in this release.

A new Windows module abuses the Active Setup registry feature to execute payloads automatically when a user logs in.

WSL as a Persistence Vector

Another persistence module targets Windows Subsystem for Linux.

By writing payloads into the Linux startup directory, attackers can maintain access even after system reboots.

Legacy Modules Get Quality-of-Life Fixes

Rapid7 did not ignore older components.

The vsftpd and Unreal IRCd backdoor modules now include better vulnerability checks, improved logging, and native Meterpreter support.

Backend Stability Improvements

Several backend bugs were resolved, including a crash affecting the LDAP ESC scanner.
False positives in the GraphQL introspection scanner were also reduced, improving trust in automated scan results.

What Undercode Say:

Offensive Security Is Following Real Attack Trends

This Metasploit update shows a clear shift toward realism.

Rapid7 is prioritizing unauthenticated exploits, misconfigurations, and edge-case behaviors that attackers actively weaponize.

AI Infrastructure Is Becoming a Prime Target

The Ollama exploit highlights a growing problem in AI deployment.
AI infrastructure is often exposed, rapidly deployed, and insufficiently hardened, making it attractive to attackers seeking high-impact access.

Path Traversal Is Still Dangerous

Despite being a decades-old class of vulnerability, path traversal continues to lead to full system compromise.
The Ollama module demonstrates how a single validation failure can cascade into root-level control.

Privileged Access Platforms Are High-Value Assets

BeyondTrust systems sit at the center of enterprise access control.
An unauthenticated command injection in such platforms represents a worst-case scenario, and Metasploit now reflects that risk with improved tooling.

VoIP Security Remains Neglected

The Grandstream exploits reinforce a long-standing issue.

Voice infrastructure is often overlooked during security assessments, yet it frequently runs outdated firmware with critical flaws.

Post-Exploitation Matters More Than Initial Access

Rapid7’s emphasis on credential harvesting and packet capture shows maturity.
Gaining access is only the first step; extracting value from that access is where real-world attacks succeed.

ARM64 Is No Longer a Niche Target

With cloud providers, IoT devices, and edge systems increasingly running ARM64, evasion on this architecture is essential.
Metasploit’s new Linux ARM64 evasion module acknowledges this shift directly.

Memory-Only Execution Is Becoming Standard

Executing payloads purely in memory reduces forensic artifacts.

This update aligns Metasploit with modern malware tradecraft rather than legacy disk-based techniques.

Persistence Techniques Are Growing Subtler

Abusing Windows Active Setup and WSL startup paths shows creativity.
These methods blend into legitimate system behavior, making detection harder for defenders.

Maintenance Signals Platform Maturity

The improvements to legacy modules and scanner reliability indicate long-term investment.
Rapid7 is not just adding flashy exploits but also maintaining operational stability.

Red Teams Gain, Blue Teams Learn

While offensive teams benefit directly, defenders gain insight into how attackers may chain vulnerabilities.

This release effectively doubles as a threat intelligence briefing.

Fact Checker Results

Verification of Key Claims

✅ Rapid7 did release a February 2026 Metasploit update with new exploit modules.

✅ CVE references and targeted platforms align with publicly documented vulnerabilities.

❌ No evidence suggests these exploits are being mass-exploited in the wild yet.

Prediction

Where Metasploit Is Headed Next

🔮 AI platforms and model infrastructure will see more dedicated exploit modules as adoption grows.
🔮 ARM-based evasion techniques will expand beyond Linux into mobile and embedded systems.
🔮 Persistence research will increasingly focus on hybrid environments like WSL and container runtimes.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon