Metasploit Wrap-Up 05/01/2026 Back to Blog Products and Tools Metasploit Wrap-Up 05/01/2026 Christopher Granleese May 1, 2026 | Last updated on May 1, 2026 | xx min read MCP server This release our very own cdelafuente-r7 finished implementing the Metasploit MCP Server (msfmcpd), bringing Model Context Protocol support to Metasploit Framework. MCP lets AI applications like Claude, Cursor, or your own custom agents query Metasploit data.
Think of it as a middleware layer that exposes 8 standardized tools for searching modules and pulling reconnaissance data, all built on the official Ruby MCP SDK . This first iteration is read-only, covering modules, hosts, services, vulnerabilities, and more. Tools for module execution, session interaction, and database modifications are on the roadmap for a future release. Full details are available in the documentation .
Copy Fail Earlier this week, details of a new and high profile Linux LPE were released alongside a public PoC. The bug, nicknamed Copy Fail and identified by CVE-2026-31431 , is a logic flaw in the cryptographic APIs exposed by the Linux Kernel. Metasploit has shipped a local exploit this week to leverage the flaw on AMD64 and AARCH64 targets with additional architectures planned for future releases.
The exploit, which replaces the ‘su’ binary in the page cache with a small ELF file, allows users to specify command payloads for execution and will automatically determine the appropriate target architecture. New module content (3) Microsoft Windows HTTP to LDAP Relay Author: jheysel-r7 Type: Auxiliary Pull request: #21323 contributed by jheysel-r7 Path: server/relay/http_to_ldap Description: This adds a new NTLM relay module that relays from HTTP to LDAP.
On success, an authenticated LDAP session is opened which allows the operator to interact with the LDAP service in the context of the relayed identity. Copy Fail AF_ALG + authencesn Page-Cache Write Authors: Diego Ledda, Spencer McIntyre, Xint Code, and rootsecdev Type: Exploit Pull request: #21395 contributed by zeroSteiner Path: linux/local/cve_2026_31431_copy_fail AttackerKB reference: CVE-2026-31431 Description: Adds a module for CVE-2026-31431 (The Copy Fail LPE for Linux), a local privilege escalation affecting almost every Linux Kernel since 2017.
Linux Execute Command Author: Spencer McIntyre Type: Payload (Single) Pull request: #21395 contributed by zeroSteiner Path: linux/aarch64/exec Description: Adds a module for CVE-2026-31431 (The Copy Fail LPE for Linux), a local privilege escalation affecting almost every Linux Kernel since 2017. Enhancements and features (5) #21315 from cdelafuente-r7 - This adds a read-only MCP server for Metasploit capable of retrieving information from the loaded modules and database. #21352 , #21353 , #21355 , #21359 from adfoster-r7 - Improves multiple module check code messages and statuses.
Bugs fixed (0) None Documentation You can find the latest Metasploit documentation on our docsite at docs.metasploit.com . Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.130...6.4.131 Full diff 6.4.130...6.4.131 If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro Article Tags Metasploit Metasploit Weekly Wrapup Christopher Granleese Author Posts Related blog posts Products and Tools Metasploit Wrap-Up 05/15/2026 Martin Sutovsky Products and Tools Metasploit Wrap-Up 05/08/2026 Alan David Foster Products and Tools Metasploit Wrap-Up 04/25/2026 Spencer McIntyre Products and Tools Metasploit Wrap-Up 04/17/2026 Jack Heysel See all posts