Metasploit Framework Adds Seven New Modules Targeting AVideo, openDCIM, Selenium Grid, and ChurchCRM
The Metasploit Framework released seven new modules this week, including exploits for critical vulnerabilities in AVideo, openDCIM, Selenium Grid, and ChurchCRM, alongside three new Windows persistence techniques.
The Rapid7 Metasploit Framework has released seven new modules as part of its April 17, 2026 update, bringing fresh exploits for several high-impact vulnerabilities and new post-exploitation capabilities for Windows systems. The update includes remote code execution (RCE) modules targeting AVideo, openDCIM, Selenium Grid and Selenoid, and ChurchCRM, as well as three persistence modules that abuse Windows Telemetry scheduled tasks, PowerShell profiles, and Microsoft BITS.
Among the new exploits is an auxiliary module for CVE-2026-28501, an unauthenticated SQL injection vulnerability in AVideo versions 22.0 and earlier. The module, contributed by researchers Valentin Lobstein and arkmarta, allows attackers to dump credentials from the video platform's database without authentication. A second exploit targets CVE-2026-28517 in openDCIM, chaining three separate vulnerabilities to achieve remote code execution via the `install.php` script.
The most notable addition is a unified RCE module for Selenium Grid and Selenoid instances, contributed by Jon Stratton, Takahiro Yokoyama, Valentin Lobstein, and Wiz Research. This module replaces two separate Chrome and Firefox exploits with a single, auto-detecting tool that selects the best attack vector based on available browsers. It supports two techniques: a Firefox profile handler injection that works on all Grid versions, including the latest (unpatched since 2021), and a Chrome binary override for Grid versions prior to 4.11.0 and all Selenoid versions. No authentication is required, making this a critical threat to exposed instances.
The update also includes an exploit for CVE-2025-68109, a file upload vulnerability in ChurchCRM version 6.2.0 and earlier, contributed by researcher LucasCsmt. This module enables remote code execution through the database restore functionality of the church management software.
On the post-exploitation front, three new Windows persistence modules were added. The Windows Telemetry Persistence module, authored by h00die, abuses the Microsoft Compatibility Appraiser scheduled task (CompatTelRunner) to establish SYSTEM-level persistence. The module writes a payload to disk and configures the telemetry task to execute it, either on the next scheduled run or immediately on demand. Two additional modules leverage PowerShell profiles and Microsoft BITS for persistent access.
In addition to the new modules, the update includes 11 enhancements and four bug fixes. Notable improvements include RISC-V architecture support for fileless ELF execution via `memfd_create`, updates to Python payloads to auto-detect the appropriate Python version at runtime, and improvements to the CVE-2025-14847 Mongobleed module with better compression support detection. The update also fixes ELF shared object payload generation failures and refactors Windows payload block API code.
This release continues the Metasploit Framework's trend of rapidly incorporating newly disclosed vulnerabilities into its arsenal, providing penetration testers and red teams with up-to-date tools for assessing network security. The inclusion of the Selenium Grid module is particularly significant given the widespread deployment of these services in CI/CD pipelines and testing environments, often exposed without authentication.