Metasploit — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/metasploit/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 03 Apr 2026 05:16:24 +0000Pymetasploit3 Command Injection Vulnerability (CVE-2026-5463)https://feed.craftedsignal.io/briefs/2026-04-pymetasploit3-cmd-injection/Fri, 03 Apr 2026 05:16:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-pymetasploit3-cmd-injection/A command injection vulnerability in pymetasploit3 versions up to 1.0.6 allows attackers to inject newline characters into module options, leading to arbitrary command execution within Metasploit sessions.A command injection vulnerability, identified as CVE-2026-5463, affects pymetasploit3 versions up to 1.0.6. This flaw allows an attacker to inject newline characters into module options like RHOSTS when using the console.run_module_with_output() function. By exploiting this, attackers can break the intended command structure and inject malicious commands, causing the Metasploit console to execute unintended actions. Successful exploitation can lead to arbitrary command execution, potentially compromising the Metasploit session and the systems it interacts with. This vulnerability highlights the importance of careful input validation in security tools, as it can be leveraged to subvert their intended functionality. Defenders should be aware of the potential for unexpected behavior when using pymetasploit3 with untrusted input.

Attack Chain

  1. Attacker crafts a malicious input string containing newline characters (\n) within a module option, such as the RHOSTS parameter.
  2. The attacker supplies this malicious input to the console.run_module_with_output() function in pymetasploit3.
  3. Pymetasploit3 fails to properly sanitize or validate the input, allowing the newline characters to pass through.
  4. When the run_module_with_output() function processes the input, the newline characters are interpreted as command separators.
  5. Metasploit console executes the injected commands alongside the intended module command, potentially leading to arbitrary command execution within the context of the Metasploit session.
  6. Attacker gains control of the Metasploit session, allowing them to interact with target systems or pivot to other internal resources.
  7. The attacker can then execute further commands to install malware, exfiltrate data, or perform other malicious activities.

Impact

Successful exploitation of CVE-2026-5463 allows an attacker to execute arbitrary commands within the context of the Metasploit console. This could lead to the complete compromise of systems targeted by the Metasploit framework, potentially impacting numerous systems within a network depending on the attacker’s objectives and the scope of the Metasploit session. If the attacker gains elevated privileges, the impact could include data breaches, system downtime, and reputational damage.

Recommendation

  • Upgrade pymetasploit3 to a version beyond 1.0.6 to remediate CVE-2026-5463.
  • Implement strict input validation and sanitization on any user-supplied data used in conjunction with console.run_module_with_output() to prevent command injection.
  • Monitor Metasploit console logs for unusual or unexpected commands being executed, as this could indicate exploitation attempts (enable enhanced logging if necessary to capture command details).
  • Deploy the Sigma rule provided to detect attempts to inject newline characters within arguments passed to modules via the console.run_module_with_output() function.
]]>highadvisorycommand-injectionmetasploitpymetasploit3