Metasploit Wrap-Up 05/01/2026

MCP serverThis release our very own cdelafuente-r7 finished implementing the Metasploit MCP Server (msfmcpd), bringing Model Context Protocol support to Metasploit Framework. MCP lets AI applications like Claude, Cursor, or your own custom agents query Metasploit data. Think of it as a middleware layer that exposes 8 standardized tools for searching modules and pulling reconnaissance data, all built on the official Ruby MCP SDK.This first iteration is read-only, covering modules, hosts, services, vulnerabilities, and more. Tools for module execution, session interaction, and database modifications are on the roadmap for a future release. Full details are available in the documentation.Copy FailEarlier this week, details of a new and high profile Linux LPE were released alongside a public PoC. The bug, nicknamed Copy Fail and identified by CVE-2026-31431, is a logic flaw in the cryptographic APIs exposed by the Linux Kernel. Metasploit has shipped a local exploit this week to leverage the flaw on AMD64 and AARCH64 targets with additional architectures planned for future releases. The exploit, which replaces the ‘su’ binary in the page cache with a small ELF file, allows users to specify command payloads for execution and will automatically determine the appropriate target architecture.New module content (3)Microsoft Windows HTTP to LDAP RelayAuthor: jheysel-r7Type: AuxiliaryPull request: #21323 contributed by jheysel-r7Path: server/relay/http_to_ldapDescription: This adds a new NTLM relay module that relays from HTTP to LDAP. On success, an authenticated LDAP session is opened which allows the operator to interact with the LDAP service in the context of the relayed identity.Copy Fail AF_ALG + authencesn Page-Cache WriteAuthors: Diego Ledda, Spencer McIntyre, Xint Code, and rootsecdevType: ExploitPull request: #21395 contributed by zeroSteinerPath: linux/local/cve_2026_31431_copy_failAttackerKB reference: CVE-2026-31431Description: Adds a module for CVE-2026-31431 (The Copy Fail LPE for Linux), a local privilege escalation affecting almost every Linux Kernel since 2017.Linux Execute CommandAuthor: Spencer McIntyreType: Payload (Single)Pull request: #21395 contributed by zeroSteinerPath: linux/aarch64/execDescription: Adds a module for CVE-2026-31431 (The Copy Fail LPE for Linux), a local privilege escalation affecting almost every Linux Kernel since 2017.Enhancements and features (5)#21315 from cdelafuente-r7 - This adds a read-only MCP server for Metasploit capable of retrieving information from the loaded modules and database.#21352, #21353, #21355, #21359 from adfoster-r7 - Improves multiple module check code messages and statuses.Bugs fixed (0)NoneDocumentationYou can find the latest Metasploit documentation on our docsite at docs.metasploit.com.Get itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requests 6.4.130...6.4.131Full diff 6.4.130...6.4.131If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit ProArticle TagsMetasploitMetasploit Weekly WrapupChristopher GranleeseAuthor PostsRelated blog postsProducts and ToolsMetasploit Wrap-Up 04/25/2026Spencer McIntyreProducts and ToolsMetasploit Wrap-Up 04/17/2026Jack HeyselProducts and ToolsMetasploit Wrap-Up 04/10/2026Simon JanuszProducts and ToolsMetasploit Wrap-Up 04/03/2026Simon JanuszSee all posts