Metasploit Adds Vim Plugin Persistence, Exploits for Three CVEs

Executive Summary

Rapid7 released four new Metasploit Framework modules on May 15, 2026, including a novel Linux persistence mechanism that weaponizes Vim plugins and exploits for three distinct vulnerabilities in Marvell QConvergeConsole, GestioIP, and Dolibarr ERP/CRM. The Vim plugin persistence module, contributed by researcher @h00die, writes a malicious plugin to a target user's ~/.vim/plugin/ directory; the payload executes the next time the user launches Vim, opening a new session as that user. The three vulnerability exploits target unauthenticated path traversal (CVE-2025-6793), authenticated remote code execution (CVE-2024-48760), and an authenticated PHP code injection with a filter bypass (CVE-2023-30253).

Technical Analysis

Vim Plugin Persistence

Researcher @h00die contributed a Linux persistence module that exploits a behavioral constant: Vim sessions often remain open indefinitely, and users rarely audit their plugin directories. The module writes a Vim script file to ~/.vim/plugin/ containing a Metasploit payload. When Vim starts, it sources all plugins in that directory automatically, executing the payload without any additional user interaction beyond launching the editor. According to Rapid7's wrap-up post, the module frames this as "joining an existing hostage situation" — Vim's persistence as an application makes it an ideal carrier for attacker persistence.

Marvell QConvergeConsole Path Traversal (CVE-2025-6793)

CVE-2025-6793 affects Marvell QConvergeConsole versions 5.5.0.85 and earlier. The auxiliary module, contributed by h4x-x0r and based on work by Michael Heinzl and rgod, exploits an unauthenticated path traversal vulnerability (ZDI-25-450) to read arbitrary files from the target host. No authentication is required. The module's pull request (#21322) indicates the traversal allows access to sensitive configuration files, credentials, and other data on the server.

GestioIP 3.5.7 Remote Command Execution (CVE-2024-48760)

CVE-2024-48760 is an authenticated remote code execution vulnerability in GestioIP 3.5.7, an IP address management tool. Researchers maxibelino and odeez24 (contributing via Odeez24) developed an exploit that targets the unsafe upload handler at /api/upload.cgi. An attacker with admin credentials can overwrite the upload script itself with a backdoor; the server then executes the backdoored script, running attacker-supplied commands. The exploit requires valid administrative credentials but no additional privileges.

Dolibarr ERP/CRM Authenticated Code Injection (CVE-2023-30253)

CVE-2023-30253 is an authenticated PHP code injection vulnerability in Dolibarr ERP/CRM versions before 17.0.1. Researchers Emanuele Cervelli and Tinexta Cyber Offensive Security Team identified that Dolibarr's Website module filters PHP injection attempts by checking for the string <?php. Contributor M4nu02 developed an exploit module (pull request #21362) that bypasses this filter by using uppercase <?PHP tags instead of the lowercase form. The module requires valid credentials and access to the Website module. The vulnerability was originally disclosed in 2023 but remains exploitable on unpatched instances.

Framework Enhancement

Alongside the modules, Metasploit added an OptArray datastore option type (pull request #20617 from Aaditya1273). Previously, multi-valued datastore options required comma-separated strings; developers can now use OptArray for cleaner input handling.

Mitigations & Recommendations

Defenders should prioritize patching Marvell QConvergeConsole to a version later than 5.5.0.85 to close the unauthenticated path traversal. For GestioIP 3.5.7, upgrade to a patched release if available; restrict administrative access to the /api/upload.cgi endpoint via network segmentation or authentication hardening. Dolibarr instances should be updated to version 17.0.1 or later. The Vim plugin persistence module highlights the importance of monitoring for unauthorized file writes to user home directories, particularly under ~/.vim/plugin/. Organizations should consider endpoint detection rules that alert on new files created in Vim plugin directories, especially those containing encoded payloads or spawned from non-Vim processes.