Metasploit Pro Version 4.22.9-2025110601 Release Notes

Software release date: November 6, 2025 | Release notes published: November 10, 2025

New module content (3)

• #20594  - Adds a module to detect publicly exposed ReDoc API documentation pages using read-only HTTP GET requests searching for common HTML markers.
• #20650  - This adds a new unauthenticated remote code execution module to the NCR Command Center Agent. The module sends malicious XML containing the runCommand parameter, triggering the unauthenticated execution of a PowerShell payload.
• #20662  - This adds a new persistence module for Windows - the startup folder. The module will drop the payload into the startup programs folder. The module can drop the payload into a folder for a specific user or the system, affecting all users.

Enhancements and features (4)

• Pro: Updates the PostgreSQL version that Metasploit Pro uses from 13 to 14.
• Pro: Users are now notified if they enter invalid values such as an email address into the included host addresses field when generating reports.
• #20648  - This adds an additional set of credentials to be used by the exploit/apple_ios/ssh/cydia_default_ssh module.
• #20661  - Add support for aarch64 payloads to exploit/multi/http/gitea_git_fetch_rce module.

Bugs fixed (3)

• Pro: Updates Metasploit Pro’s included cacert bundle to ensure HTTPS requests succeed against systems with newer SSL/TLS certificates.
• Pro: Reduces the amount of memory required to run larger batches of exploits against multiple targets.
• Pro: Improves task visibility in the RPC API, now optionally providing a complete task history. The msfpro console now supports the use of pro_tasks -a to show all tasks. See api_examples/task_list.rb for an example when using the RPC API.

Offline Update

• https://updates.metasploit.com/packages/e4c709bec60cbbe2c327b592b60e13185a5aa0caaa50e59736572add7abefc7a.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version