Metasploit Adds Exploits for Apache ActiveMQ, Gogs, and Windows Kernel Pointer Enumeration
Rapid7's Metasploit Framework has been updated with new modules targeting critical vulnerabilities in Apache ActiveMQ and Gogs, alongside a tool for enumerating Windows kernel pointers.
Rapid7 has released its latest Metasploit Framework update, introducing several new modules designed to aid security professionals in identifying and exploiting vulnerabilities. Among the key additions are exploits for Apache ActiveMQ and Gogs, along with a post-exploitation module for Windows systems.
The most significant new exploit targets CVE-2026-34197 in Apache ActiveMQ. This vulnerability, accessible via the Jolokia JMX-over-HTTP API, requires authentication to be exploited. Attackers can leverage it by adding a network connector that points to a malicious Spring XML file hosted on an attacker-controlled server. When ActiveMQ fetches and processes this file, it can lead to remote code execution (RCE) by instantiating a java.lang.ProcessBuilder bean.
Another notable addition is an exploit module for Gogs, a popular self-hosted Git service. This module targets an argument injection flaw within the pull request rebasing workflow, affecting Gogs versions up to 0.14.2 and 0.15.0+dev. By carefully crafting a branch name with an embedded command, an attacker can achieve RCE when the rebase operation is initiated.
Complementing these offensive capabilities, a new post-exploitation module for Windows systems, developed by CharlesQuinnDev, focuses on enumerating kernel object pointers. This module utilizes the NtQuerySystemInformation technique, which is commonly used to leak sensitive kernel information. By exposing these pointers, the module can facilitate local privilege escalation (LPE) when combined with a suitable write primitive, aiding attackers who have already gained initial access to a system.
Beyond these headline modules, the update also includes several enhancements and bug fixes. Notably, support for cracking Kerberos type hashes, including timeroasting and krb5tgs, has been added. A new payloads_manager plugin simplifies the management of custom payloads, allowing users to maintain a local archive and stage them for use with other modules. Post modules will now default to running against the last opened alive session, streamlining workflows.
Several existing modules have also received attention. HTTP login scanners have been updated to report the detected service hierarchy, and seven existing modules have had their associated CVE references corrected or added, including entries for vulnerabilities in Gladinet, Cassandra, Pretalx, Centreon, Xerte, and SolarWinds. Stability and logging improvements have also been made to several IPMI-related modules.
Bug fixes in this release address issues with datastore option validation in modules that invoke other modules, incorrect processing of CIDR range filters in the db.hosts RPC endpoint, and a AttributeError in Python SSL command shell payloads. Improvements have also been made to the GitLab version scanner to handle additional exceptions and add more version fingerprints, and fixes have been applied to the scanner/snmp/snmp_enum module to prevent crashes when encountering null system dates.
This comprehensive update underscores the ongoing development of the Metasploit Framework, providing security researchers and penetration testers with new tools to assess the security posture of various systems and applications. The inclusion of exploits for widely used software like Apache ActiveMQ and Gogs, alongside tools for deeper system analysis, highlights the continuous effort to keep pace with emerging threats and vulnerabilities.