{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/metasploit/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-5463"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","metasploit","pymetasploit3"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA command injection vulnerability, identified as CVE-2026-5463, affects pymetasploit3 versions up to 1.0.6. This flaw allows an attacker to inject newline characters into module options like RHOSTS when using the \u003ccode\u003econsole.run_module_with_output()\u003c/code\u003e function. By exploiting this, attackers can break the intended command structure and inject malicious commands, causing the Metasploit console to execute unintended actions. Successful exploitation can lead to arbitrary command execution, potentially compromising the Metasploit session and the systems it interacts with. This vulnerability highlights the importance of careful input validation in security tools, as it can be leveraged to subvert their intended functionality. Defenders should be aware of the potential for unexpected behavior when using pymetasploit3 with untrusted input.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious input string containing newline characters (\u003ccode\u003e\\n\u003c/code\u003e) within a module option, such as the \u003ccode\u003eRHOSTS\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker supplies this malicious input to the \u003ccode\u003econsole.run_module_with_output()\u003c/code\u003e function in pymetasploit3.\u003c/li\u003e\n\u003cli\u003ePymetasploit3 fails to properly sanitize or validate the input, allowing the newline characters to pass through.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003erun_module_with_output()\u003c/code\u003e function processes the input, the newline characters are interpreted as command separators.\u003c/li\u003e\n\u003cli\u003eMetasploit console executes the injected commands alongside the intended module command, potentially leading to arbitrary command execution within the context of the Metasploit session.\u003c/li\u003e\n\u003cli\u003eAttacker gains control of the Metasploit session, allowing them to interact with target systems or pivot to other internal resources.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute further commands to install malware, exfiltrate data, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5463 allows an attacker to execute arbitrary commands within the context of the Metasploit console. This could lead to the complete compromise of systems targeted by the Metasploit framework, potentially impacting numerous systems within a network depending on the attacker\u0026rsquo;s objectives and the scope of the Metasploit session. If the attacker gains elevated privileges, the impact could include data breaches, system downtime, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade pymetasploit3 to a version beyond 1.0.6 to remediate CVE-2026-5463.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on any user-supplied data used in conjunction with \u003ccode\u003econsole.run_module_with_output()\u003c/code\u003e to prevent command injection.\u003c/li\u003e\n\u003cli\u003eMonitor Metasploit console logs for unusual or unexpected commands being executed, as this could indicate exploitation attempts (enable enhanced logging if necessary to capture command details).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to inject newline characters within arguments passed to modules via the \u003ccode\u003econsole.run_module_with_output()\u003c/code\u003e function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T05:16:24Z","date_published":"2026-04-03T05:16:24Z","id":"/briefs/2026-04-pymetasploit3-cmd-injection/","summary":"A command injection vulnerability in pymetasploit3 versions up to 1.0.6 allows attackers to inject newline characters into module options, leading to arbitrary command execution within Metasploit sessions.","title":"Pymetasploit3 Command Injection Vulnerability (CVE-2026-5463)","url":"https://feed.craftedsignal.io/briefs/2026-04-pymetasploit3-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Metasploit","version":"https://jsonfeed.org/version/1.1"}