Rapid7 Metasploit Weekly Update Adds Modules for Cisco SD-WAN, cPanel, HUSTOJ, and Barracuda ESG
Rapid7's latest Metasploit weekly wrap-up includes five new modules targeting critical vulnerabilities in Cisco Catalyst SD-WAN Controller, cPanel/WHM, HUSTOJ, and Barracuda ESG, alongside a post-exploitation module for Tenable Security Center.
Rapid7 released its weekly Metasploit Framework update on May 22, 2026, introducing five new exploit modules that weaponize recently disclosed vulnerabilities across widely deployed enterprise and open-source platforms. The update addresses critical flaws in Cisco Catalyst SD-WAN Controller, cPanel/WHM, the HUSTOJ online judge platform, and Barracuda Email Security Gateway, as well as a new post-exploitation module for Tenable Security Center credential harvesting.
Among the most notable additions is CVE-2026-20182, an authentication bypass vulnerability in the Cisco Catalyst SD-WAN Controller vHub component. Discovered and authored by Rapid7 researchers sfewer-r7 and jburgess-r7, the module exploits a missing authentication check in the SD-WAN management interface. Cisco has already issued patches for this flaw, which carries a CVSS score of 10.0. The module, `admin/networking/cisco_sdwan_vhub_auth_bypass`, provides a Metasploit-ready auxiliary scanner to detect and exploit the bypass, potentially giving attackers full administrative control over affected SD-WAN deployments. This is the latest in a series of high-severity SD-WAN vulnerabilities that have been actively exploited in the wild throughout 2026.
The cPanel/WHM authentication bypass (CVE-2026-41940) module, contributed by jburgess-r7, exploits a CRLF injection vulnerability that allows unauthenticated attackers to escalate privileges to root and achieve remote code execution. This flaw has been actively exploited by the threat actor group Mr_Rot13 in a backdoor campaign targeting web hosting environments. The Metasploit module `multi/http/cpanel_whm_auth_bypass_rce` provides a straightforward exploit path for penetration testers and red teams to assess cPanel servers against this critical vulnerability.
Rapid7's update also includes a new exploit for CVE-2023-7102, an unauthenticated remote code execution vulnerability in Barracuda Email Security Gateway appliances developed by Mandiant, Curt Hyvarinen, and haile01. The vulnerability resides in the Amavis scanner's use of the Perl Spreadsheet::ParseExcel library, which allows eval injection through malicious Excel number format strings. The Metasploit module `linux/smtp/barracuda_esg_spreadsheet_rce` uses Rex::OLE to craft a minimal BIFF8 XLS file with the payload embedded in a FORMAT record and delivers it via SMTP. This vulnerability was previously exploited in targeted attacks against Barracuda ESG appliances.
Rounding out the new modules are an exploit for HUSTOJ's zip-slip vulnerability (CVE-2026-24479) and a post-exploitation module for Tenable Security Center. The HUSTOJ module exploits a path traversal flaw in the problem import functionality that allows attackers to plant PHP files in the webroot for remote code execution. The Tenable Security Center post-module, authored by h00die, extracts and cracks credential hashes stored on compromised Tenable Security Center instances, though it is noted to work most effectively on systems using outdated password hashing practices predating 2006.
The update also includes six enhancements and four bug fixes, including the backporting of the Python components of the Copy Fail exploit (CVE-2026-31431) to support Python 2.7 interpreters, updates to the Samba enumshares module to fix SMB1 target compatibility, and improvements to the Kerberoast module's database logging. This Metasploit weekly release demonstrates the continued focus on weaponizing recently disclosed vulnerabilities that have seen active exploitation or are relevant to enterprise security assessments.