Metasploit Pro Version 4.22.8-2025091701 Release Notes

Software release date: September 17, 2025 | Release notes published: September 18, 2025

New module content (7)

• #19903  - This adds a module for periodic script persistence. The module creates a periodic script on systems supporting that functionality - i.e. BSD system and OSX.
• #20376  - Adds a module targeting CVE-2025-32463, a local privilege escalation vulnerability in sudo before version 1.9.17p1. The exploit requires a C compiler to be present on the target machine.
• #20397  - This adds a module which exploits a template injection vulnerability in the Sawtooth Software Lighthouse Studio’s ciwweb.pl web application in versions prior to 9.16.14. The application fails to properly sanitize user input within survey templates, allowing unauthenticated attackers to inject and execute arbitrary Perl commands on the target system which get run in the context of the user running the web server.
• #20455  - This adds an exploit module for Shenzhen Aitemi M300 MT02, the RCE vulnerability will execute commands and payloads as the root user.
• #20479  - This adds two separate exploit modules which can be used to obtain unauthenticated RCE on Sitecore XP instances running versions 10 to 10.4. Both modules make use of a hardcoded password in a service account to bypass authentication, which is tracked as CVE-2025-34509. Then one module exploits an authenticated zip slip vulnerability in order to gain RCE tracked as CVE-2025-34510. The other module makes use of a vulnerability in the SiteCore PowerShell Extension, in versions prior to 7.0, which is common yet not installed by default. The SPE is vulnerable to unrestricted file upload up to version 7.0 (CVE-2025-3451). Using this vulnerability an attacker can upload a malicious ASPX file and gain remote code execution.
• #20493  - This adds a new exploit module for XWiki unauthenticated remote code execution - CVE-2025-24893.

Enhancements and features (7)

• Pro: Adds a banner within Pro to now display if there is an update available.
• #19653  - Fixes multiple bugs in credential generation and refactors the code to improve readability.
• #20490  - This adds a new HTTP::Auth option to HTTP modules, adding the capability to define specific authentication mechanisms, such as ntlm or, most notably, kerberos.
• #20495  - Updates the apt_package_manager persistence module to use the new persistence mixin.
• #20497  - Modified the autostart persistence module to use the new persistence mixin.
• #20504  - This moves the bash profile exploit module into the persistence category. It leverages new functionality for persistence modules, by using the new persistence mixin.
• #20526  - This moves the at_persistence module into the persistence category. The module now contains new expanded functionality for persistence modules.

Bugs fixed (11)

• Pro: Fixes an issue where scanners without SSL support would fail when run via bruteforce. A check has now been added to check if a scanner supports SSL configuration, if it does not it will output a status stating the scanner was skipped.
• Pro: This fixes an error that was present in Javascript used to convert strings representing bytes in different units to bytes. The error manifested itself in loading screens that lasted indefinitely in certain conditions.
• Pro: This fixes an issue that would occur when Metasploit Pro is uninstalled from a host that prevented services from being cleaned up. This would then prevent Metasploit Pro from being re-installed on the same host due to conflicts with existing services.
• #20500  - Fixes a bug with msfconsole when the user provided database connection URL string contained query parameters.
• #20505  - This fixes a bug in the sap_router_portscanner module.
• #20511  - This fixes SNI functionality in the auxiliary/scanner/ssl/ssl_version module so it can target hosts with multiple names.
• #20514  - Fixes a regression during Meterpreter session startup by disabling automatic loading of the unhook extension which caused crashes on Windows 11 24H2+ systems.
• #20516  - Fixes msfdb init failures on NixOs.
• #20537  - This fixes an error that would occur in the module cache when a file system path was not initialized.
• #20541  - This fixes a NoMethodError that was very recently introduced in the smb_login. Metasploit users will now be able to run the smb_login scanner without issue once again.
• #20542  - This fixes an edge case in the smb_login scanner when the authentication mode has been set to Kerberos. When attempting to brute force the password of an account whose password has expired, operators would previously see all attempted passwords returning successful due to how the KDC_ERR_KEY_EXPIRED status was parsed. Now the smb_login scanner will return not successful for any password of an account whose password has expired, even the correct but expired password, as no password is currently able to successfully authenticate.

Offline Update

• https://updates.metasploit.com/packages/1f0da6bb6225fcad677e8fa6ef37fe6f45929da4dcab75c25ffa9d2942183130.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version