Better NTLM Relaying Functionality
This week’s release brings an improvement to the SMB NTLM relay server. In the past, it’s support has been expanded with modules for relaying to HTTP (ESC8), MSSQL and LDAP while still receiving connections over the humble SMB service. Prior to this release, clients required a key behavior in how they handled SMB’s STATUS_NETWORK_SESSION_EXPIRED error code, in order to relay a single authentication attempt to multiple targets. Most clients other than Window’s “net use” do not handle these errors and were thus incompatible with Metasploit SMB NTLM relaying capabilities. Now, when a single target is specified, Metasploit alters its relaying strategy to forward the Net-NTLM messages immediately, making it compatible with a broader range of clients including Linux’s smbclient. In addition, the client in RubySMB was updated to mimic the behaviour of “net use” allowing authentication attempts from RubySMB to be relayed to multiple targets successfully.
New module content (3)
ESC/POS Printer Command Injector
Author: FutileSkills
Type: Auxiliary
Pull request: #20478 contributed by futileskills
Path: admin/printer/escpos_tcp_command_injector
Description: Adds a new auxiliary module that exploits CVE-2026-23767, an unauthenticated ESC/POS command vulnerability in networked Epson-compatible printers. The vulnerability allows an attacker to send crafted commands over the network to inject custom ESC/POS print commands, which are used in various receipt printers.
Eclipse Che machine-exec Unauthenticated RCE
Authors: Greg Durys [email protected] and Richard Leach
Type: Exploit
Pull request: #20835 contributed by GregDurys
Path: linux/http/eclipse_che_machine_exec_rce
AttackerKB reference: CVE-2025-12548
Description: This adds a module for CVE-2025-12548, an unauthenticated RCE in the Eclipse Che machine-exec service. The vulnerability allows attackers to connect over WebSocket on port 3333 and execute commands via JSON-RPC without authentication. This affects Red Hat OpenShift DevSpaces environments.
Barracuda ESG TAR Filename Command Injection
Authors: Curt Hyvarinen, Mandiant, and cfielding-r7
Type: Exploit
Pull request: #21033 contributed by Alpenlol
Path: linux/smtp/barracuda_esg_tarfile_rce AttackerKB reference: CVE-2023-2868
Description: Adds exploit module for CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances. Filenames in TAR attachments are passed to shell commands without sanitization, allowing RCE via backtick injection.
Enhancements and features (1)
- #21049 from h00die - This updates post modules to use an API that will expand multiple environment variables when set within the WritableDir option.
Bugs fixed (5)
- #20967 from jheysel-r7 - This fix an issue that prevents successful authentication relay from Ruby SMB Client and smbclient. These clients are now compatible with Msf::Exploit::Remote::SMB::RelayServer.
- #21148 from adfoster-r7 - Fixes a bug where setting VERBOSE logging as false globally would still cause verbose logging to occur.
- #21169 from SaiSakthidar - This fixes a bug that was preventing Mach-O binaries from being identified due to a Ruby string encoding compatibility problem.
- #21173 from msutovsky-r7 - Fixes a crash when attempting to generate a vbs payload with msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=44 -f vbs.
- #21174 from adfoster-r7 - Fixes a bug when parsing msfconsole's -x flag when additional semicolons are present that are not meant to separate commands. i.e. msfconsole -x 'set option_name "a;b"'.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
Facts Only
Metasploit Framework released an update improving SMB NTLM relay server functionality.
The update enhances compatibility with clients like Linux's smbclient by altering relaying strategy for single targets.
RubySMB client behavior was updated to mimic Windows' "net use" for multi-target relaying.
Three new exploit modules were added: ESC/POS Printer Command Injector (CVE-2026-23767), Eclipse Che machine-exec Unauthenticated RCE (CVE-2025-12548), and Barracuda ESG TAR Filename Command Injection (CVE-2023-2868).
The ESC/POS module targets unauthenticated command injection in Epson-compatible printers.
The Eclipse Che module exploits an unauthenticated RCE via WebSocket on port 3333 in Red Hat OpenShift DevSpaces.
The Barracuda ESG module exploits command injection through unsanitized TAR filenames.
Five bugs were fixed, including issues with environment variable expansion, authentication relay compatibility, logging behavior, Mach-O binary identification, VBS payload generation, and msfconsole command parsing.
Documentation is available at docs.metasploit.com.
Updates can be obtained via msfupdate, git, or installers.
Executive Summary
This week's Metasploit Framework update introduces significant improvements to its NTLM relaying functionality, particularly for the SMB NTLM relay server. Previously, the relaying process required clients to handle SMB's STATUSNETWORKSESSIONEXPIRED error code, limiting compatibility to specific clients like Windows' "net use." The update now allows immediate forwarding of Net-NTLM messages when a single target is specified, broadening compatibility to include Linux's smbclient and other clients. Additionally, the RubySMB client has been updated to mimic "net use" behavior, enabling successful relaying to multiple targets.
The release also includes three new exploit modules. The first targets CVE-2026-23767, an unauthenticated ESC/POS command injection vulnerability in Epson-compatible printers. The second exploits CVE-2025-12548, an unauthenticated RCE in Eclipse Che's machine-exec service, affecting Red Hat OpenShift DevSpaces. The third addresses CVE-2023-2868, a command injection flaw in Barracuda Email Security Gateway appliances via TAR filename manipulation. Bug fixes include improvements to environment variable handling in post modules, authentication relay compatibility, logging behavior, Mach-O binary identification, VBS payload generation, and msfconsole command parsing. Documentation and installation options remain consistent with previous releases.
Full Take
The strongest version of this narrative highlights Metasploit's ongoing evolution as a critical tool for security professionals, emphasizing its adaptability to new vulnerabilities and client compatibility. The update demonstrates a clear commitment to broadening the framework's utility while addressing practical limitations in real-world scenarios. The inclusion of high-profile CVEs (e.g., Barracuda ESG, Eclipse Che) underscores its relevance in contemporary threat landscapes, particularly in enterprise environments like Red Hat OpenShift.
Pattern-wise, the content avoids overt manipulation, focusing on technical details without emotional appeals or distortion. However, the framing implicitly reinforces the paradigm of offensive security as a necessary counterbalance to defensive measures—a perspective that, while widely accepted, merits scrutiny. The assumption that "better relaying" is inherently positive overlooks potential misuse, though the article stops short of advocating for unethical applications. Historically, this echoes the dual-use dilemma in cybersecurity tools, where offensive capabilities are developed under the guise of defensive research.
For human agency, the implications are dual-edged: security teams gain stronger tools to test and secure systems, but attackers may also leverage these updates. The second-order consequences include a potential arms race in exploit development, where defenders must continuously adapt. Missing perspectives might include the ethical boundaries of publishing such tools and the long-term impact on trust in networked systems.
Bridge questions: How should the security community balance transparency in tool development with the risk of enabling malicious actors? What safeguards could mitigate the dual-use nature of frameworks like Metasploit? Would the absence of such tools lead to more or fewer vulnerabilities being discovered and patched?
Counterstrike scan: If this were part of a coordinated influence campaign, the playbook might involve exaggerating the tool's capabilities to incite fear or justify restrictive cybersecurity policies. However, the content aligns with Metasploit's established role as a legitimate security resource, with no signs of manipulation. The focus remains technical and pragmatic, devoid of inflammatory rhetoric or hidden agendas.
Patterns detected: none
Sentinel — Human
The article appears likely to be written by a human due to its variable sentence structure and idiosyncratic emphasis. However, some stylometric signals suggest cautiousness may be warranted.
