Metasploit Pro Version 4.22.9-2026020501 Release Notes
Copy link

Software release date: February 5, 2026 | Release notes published: February 9, 2026

New module content (9)
Copy link

  • #19821  - Adds a new persistence module for Burp Suite. The module installs a malicious extension into both the Pro and Community editions, which is triggered when Burp Suite starts.
  • #20750  - Adds an exploit for CVE-2025-61882, a critical remote code execution (RCE) vulnerability in Oracle E-Business Suite (EBS). The flaw allows unauthenticated attackers to execute arbitrary code by chaining SSRF, HTTP request smuggling, and XSLT injection. Affected versions: Oracle E-Business Suite 12.2.3–12.2.14.
  • #20768  - Adds two auxiliary modules for Gladinet CentreStack/Triofox. Both modules can read arbitrary files and extract the machineKey, which is used to secure ASP.NET ViewState data. This change also introduces a new Gladinet mixin.
  • #20770  - Adds two Metasploit exploit modules targeting remote code execution (RCE) vulnerabilities in Splunk Enterprise. CVE-2024-36985 exploits unsafe use of the copybuckets lookup function in the splunk_archiver application, resulting in execution of the sudobash helper script with attacker-controlled arguments. Affected versions: all releases prior to 9.0.10, 9.1.2–9.1.5, and 9.2.0–9.2.2. CVE-2022-43571 exploits a Python code injection vulnerability in Splunk SimpleXML dashboards by injecting malicious code into sparkline style parameters. The code is executed when a user exports the dashboard to PDF. Affected versions: all releases prior to 8.1.12, 8.2.0–8.2.9, and 9.0.0–9.0.2.
  • #20799  - Adds an exploit for CVE-2025-24367, an unauthenticated RCE vulnerability in Cacti.
  • #20846  - Adds an exploit module for FreePBX that chains an authentication bypass (CVE-2025-66039) with an SQL injection (CVE-2025-61675) to create an administrator user in the database.
  • #20857  - Adds an exploit module for FreePBX that chains an authentication bypass (CVE-2025-66039) with an SQL injection (CVE-2025-61678), allowing a cron job to be added to the cron_job database table to achieve remote code execution.
  • #20858  - Adds an exploit module for FreePBX that chains an authentication bypass (CVE-2025-66039) with an unrestricted file upload via firmware upload (CVE-2025-61678), allowing a web shell to be uploaded to the web server and resulting in remote code execution.
  • #20866  - Adds a module for unauthenticated file upload in SmarterTools SmarterMail (CVE-2025-52691). The vulnerability allows an unauthenticated user to upload a file to an arbitrary location via path traversal using the guid parameter. The module either drops a web shell in the webroot (on Windows targets) or creates a cron job by writing a file to /etc/cron.d (on Linux targets).

Enhancements and features (5)
Copy link

  • #20739  - Adds MITRE ATT&CK metadata tags to modules related to Kerberos and unconstrained delegation, enabling content searches by ATT&CK technique ID.
  • #20778  - Combines the Windows and Linux SSH key persistence modules.
  • #20840  - Updates the MongoBleed auxiliary module with new options. The module can now use the Wiz Magic Packet to quickly detect the vulnerability, identify compression libraries used by MongoDB (and warn or halt if zlib is not enabled), reuse the MongoDB socket connection during memory scanning to improve performance, and more effectively leak secrets via pattern matching or by storing extracted data in raw or JSON format.
  • #20882  - Adds the RSAKeySize advanced option and uses it when generating CSR key pairs, allowing users to increase key size to meet certificate template minimum requirements and avoid CERTSRV_E_KEY_LENGTH errors when 2048-bit keys are rejected.
  • #20883  - Updates Kerberos modules to present a user-friendly message when the IMPERSONATE option is specified without also setting IMPERSONATION_TYPE.

Bugs fixed (9)
Copy link

  • #20368  - Fixes an issue that caused msfvenom to fail when run from alternative directories.
  • #20680  - Improves the RPC API with multiple fixes and enhancements.
  • #20834  - Fixes a NoMethodError exception in the team_viewer post module.
  • #20888  - Fixes an issue that caused dMSA Kerberos authentication to fail.
  • #20897  - Fixes a bug that prevented collected hash data from being formatted correctly for use with John the Ripper, restoring the ability to crack passwords using John.
  • #20902  - Fixes a bug in the auxiliary/scanner/ssh/ssh_login module that incorrectly reported login failures when authentication succeeded but a session could not be opened. This issue only occurred when the CreateSession option was set to true.
  • #20909  - Fixes a bug in Metasploit Pro that reported false positives during HTTP brute-force attacks.
  • #20916  - Fixes a crash when running the SAP modules sap_soap_rfc_system_info or sap_icf_public_info.
  • #20920  - Fixes a bug in password cracking modules where the auto action would crash even when a compatible executable path was specified in CRACKER_PATH.

Offline Update
Copy link

Metasploit Framework and Pro Installers
Copy link