Weekly Metasploit Update: NTLM Relay Priv Esc, MCP Server Integration, Paperclip AI RCE Chain, and more

New module content (5) Paperclip AI RCE using a chain of six API calls (CVE-2026-41679) Authors: Sagilayani https://github.com/sagilayani and h00die-gr3y [email protected] Type: Exploit Pull request: #21547 contributed by h00die-gr3y Path: linux/http/paperclipai_unauth_rce_cve_2026_41679 AttackerKB reference: CVE-2026-41679 Description: Adds an exploit module for CVE-2026-41679 which exploits Paperclip. The issue is tracked as CVE-2026-41679, CVE-2026-41459, CVE-2026-34413. Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload Author: bootstrapbool [email protected] Type: Exploit Pull request: #21371 contributed by bootstrapbool Path: multi/http/xerte_unauthenticated_mediaupload AttackerKB reference: CVE-2026-41459 Description: Exploits authentication failure (CVE-2026-34413), extension blacklist (CVE-2026-34415), and path traversal (CVE-2026-34414) vulnerabilities in Xerte Online Toolkits versions 3.15 and earlier.

The Vulnerability

Linux Kernel ptrace_may_access() Exit Race Change File Disclosure Authors: 0xdeadbeefnetwork and bhaskarbhar Type: Post Pull request: #21472 contributed by bhaskarbhar Path: linux/gather/cve_2026_46333_chage AttackerKB reference: CVE-2026-46333 Description: Adds a post module that leverages CVE-2026-46333, a vulnerability in the Linux kernel whereby a race condition exists when tearing down a process.

Further details indicate that on the post-exploitation side, the new windows/local/ntlm_relay_2_self module coerces the local machine account to authenticate via OpenEncryptedFileRaw (WebDAV), relays that NTLM authentication to a Domain Controller’s LDAP service, then uses the resulting LDAP session to write Shadow Credentials and obtain a Kerberos service ticket as Administrator via S4U2Proxy, enabling PsExec back to itself for SYSTEM access.

This week’s release includes five new modules, including a full unauthenticated RCE chain for Paperclip AI and a VS Code extension persistence technique.

Bugs fixed (4) - #21441 from dwelch-r7 - Improves the MCP server lifecycle control and enables graceful shutdowns by transitioning from Rack’s handler to direct Puma server API management.

Technical Details

CVEs:

• CVE-2026-41679

• CVE-2026-41459

• CVE-2026-34413

• CVE-2026-34415

• CVE-2026-34414

From a technical standpoint, the vulnerability presents several concerns:

An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration.

VS Code Extension Persistence Author: h00die Type: Exploit Pull request: #21465 contributed by h00die Path: multi/persistence/vscode_extension Description: Adds a new persistence module that achieves persistence by installing a malicious extension into a user’s VS Code extensions directory.

NTLM Relay to Self (HTTP to LDAP) - Post Exploitation Author: jheysel-r7 Type: Exploit Pull request: #21430 contributed by jheysel-r7 Path: windows/local/ntlm_relay_2_self Description: Adds a module that exploits the NTLMRelay2Self attack.

A local attacker can exploit this to obtain file handles they would not otherwise have access to.

Risk & Exposure

On the enhancement side, the new MCP server plugin lets AI tools assist operators directly within a running msfconsole instance, and module check codes now return richer detail for users. An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. - #21259 from g0tmi1k - Adds a number of enhancements to msfconsole’s search functionality by cleaning up some inconsistencies and giving users the option to hide the child elements of search results with the -c flag.

Patching & Remediation

1. • #21367 from g0tmi1k - Adds a number of enhancements to the rexec_login module including more detailed output, a check for an rDNS failure, an update to the module description, and removal of duplicate IP:PORT printing.
2. • #21454 from adfoster-r7 - Updates many modules by adding additional details to the check codes that are returned by the #check method, which provides additional information for the user.

3. Also updates the requirements of new modules to contain this extra information moving forward.

4. • #21512 from adfoster-r7 - Updates the Metasploit MCP tool to expose note information on Metasploit modules, as well as host comments.
5. • #21542 from h00die - Updates the scanner/redis/redis_server module to output server INFO details as a readable table.

6. Bugs fixed (4) - #21441 from dwelch-r7 - Improves the MCP server lifecycle control and enables graceful shutdowns by transitioning from Rack’s handler to direct Puma server API management.

Analysis

This disclosure adds to a growing pattern of critical vulnerabilities affecting enterprise infrastructure. As AI tooling proliferates, security teams face expanding attack surfaces tied to model inference and data pipelines.

Sources

1. https://github.com/rapid7/metasploit-framework/pull/21371
2. https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-19-06-2026
3. https://github.com/sagilayani
4. https://nvd.nist.gov/vuln/detail/CVE-2026-41679
5. https://nvd.nist.gov/vuln/detail/CVE-2026-41459
6. https://nvd.nist.gov/vuln/detail/CVE-2026-34413
7. https://nvd.nist.gov/vuln/detail/CVE-2026-34415
8. https://nvd.nist.gov/vuln/detail/CVE-2026-34414
9. https://nvd.nist.gov/vuln/detail/CVE-2026-46333
10. https://github.com/advisories/CVE-2026-41679
11. https://github.com/advisories/CVE-2026-41459
12. https://github.com/advisories/CVE-2026-34413