Metasploit Pro Version 4.22.9-2025121601 Release Notes
Copy link

Software release date: December 16, 2025 | Release notes published: December 17, 2025

New module content
Copy link

  • #20637  - This PR adds a new NTLM relay module for relaying from SMB to MSSQL servers. On success, an MSSQL session will be opened to allow the user to run arbitrary queries and some modules.
  • #20643  - Expands diamorphine privilege escalation module to other rootkits that use signal handling for privilege escalation.
  • #20660  - This adds a new persistence module for Windows - the task scheduler module. The module will create scheduled tasks depending on the ScheduleType option.
  • #20672  - Adds an exploit module for Centreon. The vulnerability, an authenticated command injection, will lead to a remote code execution.
  • #20674  - Adds a module targeting CVE-2025-59287, an unauthenticated deserialization vulnerability in the Windows Server Update Service (WSUS) resulting in remote code execution as SYSTEM.
  • #20682  - This extends our payloads support to a new architecture, LoongArch64. The first payload introduced for this new architecture is the reboot payload, that will cause the target system to restart once triggered.
  • #20685  - Adds a persistence module for Notepad++ by adding a malicious plugin to Notepad++, as it loads and executes DLLs from its plugin directory on startup.
  • #20698  - Adds a module for the recent FortiWeb 8.0.1 authentication bypass vulnerability allowing an attacker to create a new administrative user. The exploit is based on the PoC published by Defused.
  • #20701  - Adds a new Windows persistence module - the WSL registry module. The module will create registry entries (Run, RunOnce) to run a Linux payload stored in WSL.
  • #20702  - Adds 3 new modules targeting the iGEL OS. One post module abusing the SUID permissions of the setup and date binaries, one privilege escalation abusing the same SUID binary permissions to modify the NetworkManager and restart the service, allowing arbitrary executables to be run as root, and one persistence module relying on root permissions to write a command to the iGEL registry to enable execution at startup as root.
  • #20703  - Adds Linux RISC-V 32-bit / 64-bit Little Endian chmod payloads.
  • #20705  - This adds two modules for two vulnerabilities in Flowise CVE-2025-59528, and CVE-2025-8943. The modules add an option to use Flowise credentials for authentication when the application requires it, enabling exploitation of vulnerabilities.
  • #20709  - This module exploits two CVEs: CVE-2025-13315 and CVE-2025-13316. Both CVEs exist in Twonky Server and allow decrypting admin credentials by reading logs without authentication (which contain them). Then, because the module uses hardcoded keys, it decrypts those credentials.
  • #20712  - This adds Linux RISC-V 32-bit/64-bit TCP reverse shell payloads.
  • #20717  - Adds a new module chaining FortiWeb vulnerabilities CVE-20205-64446 and CVE-2025-58034 to gain unauthenticated code execution on a FortiWeb server.
  • #20718  - Adds a module for CVE-2025-34299. The module exploits a vulnerability in the downloadFile action which allows an attacker to connect to a malicious FTP server and download arbitrary files to arbitrary locations on the Monsta FTP server.
  • #20720  - This adds a new exploit module for an unauthenticated vulnerability in the WordPress AI Engine plugin, which has over 100,000 active installations. The vulnerability allows an attacker to create an administrator account via the MCP (Model Context Protocol) endpoint without authentication, then upload and execute a malicious plugin to achieve remote code execution. The vulnerability is being tracked as CVE-2025-11749.
  • #20725  - This adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution. The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint.
  • #20746  - This adds an exploit module for CVE-2025-8489, an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin (versions 24.12.92 to 51.1.14). The vulnerability allows unauthenticated attackers to create administrator accounts by specifying the user_role parameter during registration, enabling remote code execution through plugin upload.
  • #20747  - This adds an exploit for CVE-2025-55182 which is an unauthenticated RCE in React. This vulnerability has been referred to as React2Shell. These capabilities are available from the module search page in Metasploit Pro. Users are likely to have the most success with this module when selecting the advanced payload setting with the cmd/linux/http/x64/meterpreter/reverse_tcp payload and toggling the FETCH_COMMAND between wget and curl etc depending on the remote target’s available binaries for staging a payload. This workflow will be improved in a future release.

Enhancements and features
Copy link

  • Pro: Improves the version detection of unknown services when running host scans within Metasploit Pro.
  • Pro: Adds support for ESC9, ESC10 and ESC16 to the AD CS MetaModule.
  • Pro: Adds a new banner to notify the user if they are running Metasploit Pro with unsupported Operating System.
  • Pro: Adds support for re-running individual sessions using their previous configuration to optimize session workflows.
  • #20560  - Adds references to MITRE ATT&CK technique T1021 “Remote Services” and its sub-techniques.
  • #20643  - Expands diamorphine privilege escalation module to other rootkits that use signal handling for privilege escalation.
  • #20658  - This adds a number of accuracy enhancements to the ldap_esc_vulnerable_cert_finder module. It also adds a CertificateAuthorityRhost datastore option to the esc_update_ldap_object module so the operator can specify an IP Address explicitly in cases where the hostname cannot be resolved via DNS.
  • #20669  - Updates the auxiliary/scanner/http/azure_ad_login module to print the domain and username in error messages. This enables users to understand what user caused the error.
  • #20677  - This enables sessions to MSSQL servers that require encryption. These changes add a new MsTds::Channel which leverages Rex’s socket abstraction to facilitate the necessary encapsulation for the TLS negotiation.
  • #20690  - This adds the cert pipe to the list of known pipes that will be checked by the auxiliary/scanner/smb/pipe_auditor module. This effectively enables users to identify when the MS-ICPR interface is available because Active Directory Certificate Services (AD CS) is in use.
  • #20704  - The module auxiliary/scanner/ssh/ssh_login_pubkey has been removed and the functionality has been moved into auxiliary/scanner/ssh/ssh_login.
  • #20707  - Updates multiple Linux reboot payloads to note that CAP_SYS_BOOT privileges are required.

Bugs fixed
Copy link

  • Pro: Fixes an issue where scanning and importing from a Nexpose Site with a credential was failing.
  • Pro: Updates the session replay capabilities to work with both auxiliary modules and exploit modules, previously only exploit modules were supported.
  • Pro: Fixes a crash when attempting to import Scan Assistant credentials into Metasploit Pro from a Nexpose/InsightVM account within the modules/auxiliary/pro/nexpose module.
  • Pro: Fixes an error that occurred when attempting to run a payload module directly from the single module run page. Now users are shown a message to use global listeners and the global payload generator tool.
  • Pro: Fixes a bug that stopped the Upgrade Session functionality on basic shell sessions to successfully upgrade to a Meterpreter session.
  • Pro: Fixes a bug in the RPC Task List API where error was incorrectly returning a nil rather than an empty string. This could cause a data type of None to be returned for customers using Python.
  • #20482  - This fixes a bug in HTTP-based login scanners, when SSL is enabled and a non-default HTTPS port is used.
  • #20687  - This updates the auxiliary/scanner/winrm/winrm_login module to catch access denied errors when trying to create a shell session. This is then used to inform the operator that the target account’s password is correct but they do not have permissions to start a shell with WinRM.
  • #20693  - This fixes race condition in preloading extension klasses during bootstrap.
  • #20695  - Updates the Java and PHP Meterpreter to send the local address and local port information back to Metasploit when opening TCP or UDP sockets on the remote host.
  • #20708  - Fixes a bug with msfdb when attempting to execute the program with bundle exec.
  • #20711  - Fixes the description for the AppendExit datastore option.
  • #20721  - Fixes a crash when running a Nexpose scan that had a Nexpose Scan Assistant credential present.

Offline Update
Copy link

Metasploit Framework and Pro Installers
Copy link