Metasploit Framework 'drb_remote_codeexec' code execution
Description
By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with elevated privileges, this can lead to a system compromise on the Metasploit workstation. Note that an attacker would have to lie in wait and entice the Metasploit user to run the affected module against a malicious endpoint in a "hack-back" type of attack. Metasploit is only vulnerable when the drb_remote_codeexec module is running. In most cases, this cannot happen automatically.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Metasploit Framework's drb_remote_codeexec module exposes users to deserialization attacks when run against malicious endpoints, potentially compromising the Metasploit workstation.
Vulnerability
The drb_remote_codeexec module in Metasploit Framework relies on Distributed Ruby (DRb) class functions that are vulnerable to deserialization attacks [1]. When a user launches this module, Metasploit starts a DRb service that listens for connections. This service can be exploited by a malicious endpoint if the user targets it. The vulnerability is present in all versions of Metasploit Framework that include this module prior to the fix. The module is not automatically executed; the user must explicitly run it against a target [1].
Exploitation
An attacker must lie in wait and entice the Metasploit user to run the drb_remote_codeexec module against a malicious endpoint in a "hack-back" type of attack [1]. The attacker's endpoint then sends crafted serialized data to the DRb service running on the Metasploit workstation, triggering the deserialization vulnerability [2]. No authentication or prior access to the Metasploit system is required; the attacker only needs to be reachable over the network from the Metasploit workstation.
Impact
Successful exploitation allows the attacker to execute arbitrary code within the context of the Metasploit Framework process [1]. Since Metasploit typically runs with elevated privileges (e.g., root or administrator), this can lead to full compromise of the Metasploit workstation, including data exfiltration, installation of backdoors, or further lateral movement [1].
Mitigation
The vulnerability was initially addressed in Metasploit Framework via pull request #14300 (commit 49145bf), which removed the DRb service after module execution to prevent exploitation by arbitrary third parties [2]. However, this fix did not cover the scenario where the targeted server itself is malicious. Consequently, pull request #14335 removed the drb_remote_codeexec module entirely from the framework [4]. Users should update to the latest version of Metasploit Framework to ensure the module is no longer present. No workaround exists other than avoiding use of the module [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
metasploit-frameworkRubyGems | < 4.19.0 | 4.19.0 |
Affected products
2- Rapid7/Metasploit Frameworkv5Range: 6.0.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-xgww-h98f-24qfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7385ghsaADVISORY
- github.com/rapid7/metasploit-framework/pull/14300ghsax_refsource_MISCWEB
- github.com/rapid7/metasploit-framework/pull/14335ghsax_refsource_CONFIRMWEB
- help.rapid7.com/metasploit/release-notes/archive/2020/10ghsaWEB
- help.rapid7.com/metasploit/release-notes/archive/2020/10/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.