Metasploit Pro Version 4.22.9-2026011901 Release Notes
Copy link

Software release date: January 20, 2026 | Release notes published: January 20, 2026

New module content
Copy link

  • #20472  - Adds an exploit for BadSuccessor, a vulnerability in which a user with permissions to an OU can create a dMSA account in a way that leads to the issuance of a Kerberos ticket for an arbitrary user.
  • #20692  - Adds a persistence module that leverages Python’s startup mechanism, where certain files are automatically processed during Python interpreter initialization. One of these file types includes startup hooks (site-specific and dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import are executed automatically. This creates a persistence mechanism when an attacker has established access to a target machine with sufficient permissions.
  • #20700  - Adds a new module for an authenticated deserialization vulnerability in Taiga.io (CVE-2025-62368). The module sends malicious data to an exposed API that performs unsafe deserialization, leading to remote code execution.
  • #20706  - Updates Windows WMI persistence to use a new management approach in Metasploit Framework. The Windows WMI module has been split into four modules, each representing a distinct technique.
  • #20713  - Adds an auxiliary module that exploits two CVEs affecting N-able N-Central: CVE-2025-9316, an unauthenticated session bypass, and CVE-2025-11700, an XXE (XML External Entity) vulnerability. The module combines both vulnerabilities to achieve unauthenticated file read on affected N-Central instances (versions < 2025.4.0.9).
  • #20733  - Adds a new bind shell payload for Linux RISC-V targets.
  • #20734  - Extends fetch payload support for RISC-V targets.
  • #20749  - Adds an exploit module for a Server-Side Template Injection (SSTI) vulnerability (CVE-2025-66294) in Grav CMS versions prior to 1.8.0-beta.27, which allows bypassing the Twig sandbox to achieve remote code execution. To inject the malicious payload into a form’s process section, this module leverages CVE-2025-66301, a broken access control flaw in the /admin/pages/{page_name} endpoint.
  • #20754  - Adds a new Windows persistence technique by registering an assistive technology for the current user and configuring it to start at logon or desktop switch.
  • #20761  - Adds an exploit module for CVE-2025-13486, an unauthenticated remote code execution vulnerability affecting the Advanced Custom Fields: Extended WordPress plugin, versions 0.9.0.5 through 0.9.1.1.
  • #20767  - Adds an auxiliary module for GeoServer WMS that can read remote files from the target system.
  • #20791  - Adds an exploit module for CVE-2025-32778, a command injection vulnerability in Web-Check’s screenshot API endpoint. This allows unauthenticated remote code execution by injecting shell commands via URL query parameters in the /api/screenshot endpoint.
  • #20792  - Adds an exploit module for CVE-2025-37164, an unauthenticated RCE vulnerability affecting Hewlett Packard Enterprise (HPE) OneView. All versions below 11.00 are vulnerable if the vendor-supplied hotfix has not been applied. Some VM product versions do not enable the vulnerable ID Pools endpoint and are therefore not exploitable.
  • #20793  - Adds an exploit module for CVE-2025-34433, an unauthenticated remote code execution vulnerability in AVideo (formerly YouPHPTube), affecting versions 14.3.1 through 20.0.
  • #20796  - Moves udev persistence into the persistence category and adds the persistence mixin.
  • #20806  - Adds a new module for Control Web Panel (CVE-2025-67888). The vulnerability is an unauthenticated OS command injection through an exposed API. The module requires Softaculous to be installed.
  • #20810  - Adds a new module for n8n (CVE-2025-68613). The vulnerability is an authenticated remote code execution flaw in the workflow expression evaluation engine. The module requires credentials to create a malicious workflow that executes system commands via a JavaScript payload.
  • #20811  - Adds a new module for Prison Management System 1.0 (CVE-2024-48594). The module requires admin credentials, which are then used to exploit an unrestricted file upload vulnerability to upload a web shell.
  • #20833  - Adds an auxiliary scanner module that exploits MongoBleed (CVE-2025-14847) to dump memory from a live instance of the NoSQL database.
  • #20845  - Adds Linux ARM 32-bit and 64-bit little-endian chmod payloads.

Enhancements and features
Copy link

  • Pro: Adds multiple improvements to support React2Shell exploitation against remote targets as part of the single module run page.
  • Pro: Updates the vulnerability attempts table to include additional information about vulnerability attempt success or failure reasons.
  • Pro: Updates Metasploit Pro’s SSL Ciphers to follow newer security conventions and best practices.
  • #20706  - Updates Windows WMI persistence management, splitting the module into four technique-specific modules.
  • #20751  - Updates the Windows Sticky Keys post-persistence module to use the new persistence mixin.
  • #20755  - Adds an advanced datastore option, KrbClockSkew, to Kerberos-authenticated modules, allowing operators to adjust the Kerberos clock to mitigate clock skew errors.
  • #20771  - Updates Metasploit’s default payload selection logic to prefer x86 payloads over AARCH64 payloads.
  • #20773  - Updates the React2Shell exploit with an improved default payload.
  • #20785  - Adds Waku framework support to the existing React2Shell module. Waku is a minimal React framework that differs slightly from Node.js. The module maintains backward compatibility with Next.js targets while adding Waku support through a modular configuration system.
  • #20786  - Updates module code to merge target Arch and Platform entries into the module’s top-level metadata, removing duplication across over 500 modules.
  • #20796  - Moves udev persistence into the persistence category and adds the persistence mixin.
  • #20800  - Updates the AutoCheck mixin to ensure vulnerabilities identified during automatic checks are reported to the database.
  • #20851  - Adds register constants for the following architectures: aarch64, amd64, arm, loongarch64, mips32, mips64, ppc32, ppc64, riscv32, riscv64, and zarch.
  • #20853  - Updates the Windows Meterpreter to support a new PoolParty injection technique for Windows 10+ x86, and fixes a bug with UDP networking support in the PHP Meterpreter.
  • #20855  - Adds additional ATT&CK references to persistence modules.
  • #20861  - Adds multiple improvements to hostname resolution logic in post-exploitation modules.

Bugs fixed
Copy link

  • #20744  - Fixes a bug in unix/webapp/wp_reflexgallery_file_upload where the current year and month were hardcoded in the request, causing the server to reject the exploit if the corresponding upload directory did not exist. The year and month are now configurable datastore options.
  • #20772  - Fixes an issue that prevented sessions from opening due to a bug in the logic that logged session network information to the database.
  • #20781  - Removes nonfunctional PPC Meterpreter payloads for Linux. These payloads have not worked for some time and are no longer planned for support.

Offline Update
Copy link

Metasploit Framework and Pro Installers
Copy link