Metasploit Pro Version 4.22.8-2025102701 Release Notes

Software release date: October 27, 2025 | Release notes published: October 27, 2025

New module content

#20579 - Adds an auxiliary scanner module for an insecure template function vulnerability in Listmonk versions >= v4.0.0 and < v5.0.2. This allows authenticated users with minimal permissions to read arbitrary environment variables on the host system through campaign template previews. Environment variables in Listmonk deployments often contain sensitive information such as database credentials, SMTP passwords, API keys, and admin credentials, leading to potential full system compromise.
#20585 - Adds a module targeting CVE-2025-60787, an authenticated template injection vulnerability in MotionEye versions <= 0.43.1b4.
#20586 - Adds a Windows fileformat module able to generate malicious Windows Script Host files.
#20630 - Adds a new module for Vvveb, exploiting a code injection vulnerability in the code editor (CVE-2025-8518). The module requires credentials to the CMS.

Pro: Fixes an issue during Metasploit’s update or installation process that stopped the database service from running.
Pro: Fixes the replay capabilities for the Single Credentials Testing MetaModule.
#20546 - This fixes multiple issues that were present in the auxiliary/scanner/ssh/ssh_login_pubkey module.
#20563 - The ldap_esc_vulnerable_cert_finder now checks the CAs and DC, when running registry checks.
#20582 - This fixes a regression in the random identifier library that was causing failures when processing PHP code.
#20608 - Fixes a bug with the Windows PE Inject payload.
#20611 - Fixes a bug in the exploit/multi/local/periodic_script_persistence module which caused issues for the Local Exploit Suggester.
#20636 - Fixes a bug in the web crawler’s handling of pages that are not found.
#20639 - Fixes a crash when running the scanner/oracle/oracle_login module.