Metasploit Pro Version 4.22.8-2025082101 Release Notes
Software release date: August 21, 2025 | Release notes published: August 22, 2025
New module content (8)
- #20386 - This adds a new payload; the
payload/windows/x64/download_execute
module can be used to download and execute a binary over HTTP, with a reduced code size. - #20387 - This adds an exploit module for an authenticated RCE in Wazuh servers tracked as CVE-2025-24016. Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers.
- #20399 - This adds a new module for CVE-2025-4653 - authenticated remote code execution in Pandora ITSM. This module exploits a command injection vulnerability in the
name
backup setting on the application setup page of Pandora ITSM. This can be triggered by generating a backup with a malicious payload injected at the name parameter. The module requires valid application credentials. Alternatively, if a database is exposed, the module can create a new admin account by connecting to the database. - #20400 - This adds an exploit module leveraging an authenticated RCE in PivotX tracked as CVE-2025-52367. Authenticated users are able to overwrite the /pivotx/index.php endpoint with a php payload which gets executed in the context of the user running the web application. The module restores the original contents of the /pivotx/index.php endpoint once a session is established.
- #20409 - This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft SharePoint Server.
- #20423 - This adds a file format module for XDG Desktop (
.desktop
) file. - #20446 - This adds a new module for CVE-2025-2611 - unauthenticated remote code execution in ICTBroadcast. The application evaluates certain cookies using backticks, which can lead to command injection.
- #20460 - Adds a module for CVE-2024-32019 - privilege escalation for ndsudo.
Enhancements and features (7)
- Pro: Adds multiple single module run enhancements and bug fixes. Including adding support for single module run replay capabilities a new UX for selecting target hosts, Kerberos cache credentials, and PKCS#12 certificates for LDAP and Kerberos modules.
- #20418 - Updates the password cracking modules to now automatically detect the presence of JohnTheRipper or Hashcat binaries on the host filesystem when attempting to crack credentials.
- #20445 - This update improves the
ActiveDirectory
mixin by skipping unnecessary LDAP lookups for the well-known local system SID (S-1-5-18
). By handling it as a special case, repeated redundant queries are avoided, reducing noise in verbose logs and improving performance. - #20451 - This adds a new fetch command -
lwp-request GET
. The command is currently enabled as an option for Linux targets. - #20457 - Updates modules that reference a Kerberos credential cache path or pkcs12 cert to support reading from a file on disk, or a database id with the syntax
id:123
. - #20469 - Improves Kerberos file load error messages. Users are now told when setting an invalid Kerberos
krb5ccname
credential cache file why it is not suitable for use in a module, i.e.: being expired, mismatched realm, sname, etc. - #20471 - Adds an enhancement to the ldap_esc_vulnerable_cert_finder module. The module will now check for enrollment permissions on both the template and CA server, meaning users can filter their results to only show templates that are vulnerable and that they have the necessary permissions to enroll in; this can be done using the new REPORT datastore option.
Bugs fixed (13)
- Pro: Fixes incorrect tooltips on manage credentials modal.
- #20372 - This updates the module cache logic and fixes a bug where newly added modules would not be automatically loaded.
- #20431 - This fixes an ASN1 parsing error
auxiliary/admin/kerberos/get_ticket
that would occur when using PKINIT authentication with certain certificates. - #20432 - Fixes an edge-case with the Metasploit RPC that caused module unique identifiers to be tracked incorrectly.
- #20437 - This adds a fix for the
auxiliary/dos/http/apache_range_dos
module. Previously, the module did not work correctly due to the uninitialized variableuri
. This change fixes that behavior by adding initialization foruri
. - #20438 - Fixes a bug in the
upload_and_compile
method where under certain circumstances we can callchmod
on the wrong filename. - #20448 - Fixes a bug when generating Powershell scripts. Previously it was possible for randomly generated variable names to be chosen that are reserved, which led to payload failures.
- #20450 - This bumps the Mettle payload version from 1.0.42 to 1.0.45. The changes include the fix for a bug that would occur when the ELF executable was converted to shellcode.
- #20454 - Fixes a crash when running the show options command on some modules.
- #20461 - Improves the login summary for LDAP login module when
LDAP::Auth=schannel
is set, as well as fixing an edge-case error when the module was canceled before completion. - #20462 - Fixes a logging bug when handling Kerberos authentication errors.
- #20485 - Removes an errant call to a non-existent super method under a specific set of conditions.