This is a command injection vulnerability in the console.run_module_with_output() function of the pymetasploit3 library. Attackers can inject newline characters into module options such as RHOSTS, which breaks the intended command structure and allows execution of unintended malicious commands. Successful exploitation can lead to full arbitrary command execution and manipulation of existing Metasploit sessions.
Remediation
Upgrade pymetasploit3 to a patched version once it is made available. If an update cannot be applied immediately, restrict access to systems running pymetasploit3 to only trusted, authenticated users. Regularly audit command execution activity on systems running the vulnerable library.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.