Metasploit Pro Version 4.22.9-2026030301 Release Notes

Software release date: March 3, 2026 | Release notes published: March 3, 2026

New Module Content (18)

• #20798  - Adds a command injection exploit targeting the FreeBSD rtsol/rtsold daemons (CVE-2025-14558). The vulnerability can be triggered via the Domain Name Search List (DNSSL) option in IPv6 Router Advertisement (RA) messages, which is passed to the resolvconf script without sanitization. Exploitation requires elevated privileges to send IPv6 packets. Injected commands are executed as root.
• #20819  - Adds a persistence module for WSL that writes a payload to the user’s startup folder. The module establishes persistence on Windows; however, initial access must be obtained from Linux.
• #20841  - Adds a Windows persistence module leveraging the Active Setup feature. The module launches a payload with two caveats: (1) privileges are downgraded from admin to user, and (2) the payload executes only once per user.
• #20844  - Adds a Windows persistence module that uses the UserInit registry key to create a session with administrative privileges whenever any user logs in.
• #20849  - Adds three RCE modules for Xerte Online Toolkits affecting versions 3.14.0 and ≤ 3.13.7. Two modules are unauthenticated; one requires authentication.
• #20856  - Adds an exploit module for n8n. The vulnerability, known as Ni8mare, allows arbitrary file reads and session extraction from other users, enabling privilege escalation within the web application context.
• #20917  - Adds an exploit module for SolarWinds Web Help Desk vulnerable to CVE-2025-40536 and CVE-2025-40551. Successful exploitation opens a session as NT AUTHORITY\SYSTEM on Windows or root on Linux.
• #20919  - Adds a Linux persistence module for Emacs. The Emacs extension triggers session creation as the compromised user.
• #20929  - Adds an exploit module for an authentication bypass in GNU Inetutils telnetd (CVE-2026-24061). During negotiation, if the USER environment variable is set to -f root, authentication can be bypassed, resulting in command execution as root.
• #20932  - Adds an exploit module for the command injection vulnerability CVE-2026-1281 affecting Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron. This vulnerability was exploited in the wild as a zero-day by an unknown threat actor.
• #20947  - Adds an exploit module for CVE-2025-62521, targeting an unauthenticated RCE vulnerability in ChurchCRM versions 6.8.0 and earlier.
• #20964  - Adds a Linux ARM64 evasion module featuring RC4 encryption, in-memory ELF execution, and sleep evasion techniques.
• #20965  - Adds a new module evasion/linux/x86/rc4_packer that encrypts the generated payload with RC4, prepends an optional sleep-based delay (nanosleep), and decrypts/executes the payload at runtime via a compact precompiled stub.
• #20976  - Adds an exploit module targeting CVE-2025-7441, an unauthenticated RCE vulnerability in the WordPress StoryChief plugin (versions ≤ 1.0.45).
• #20978  - Adds a module for unauthenticated command injection in BeyondTrust PRA/RS (CVE-2026-1731).
• #20983  - Adds three modules targeting the Grandstream GXP1600 series VoIP devices: one exploit module (CVE-2026-2329) that gains a root session, and two post modules for credential theft and packet capture.
• #21000  - Adds three exploit modules for MajorDoMo, an open-source home automation platform. All three vulnerabilities are unauthenticated.
• #21006  - Adds an exploit module for Ollama (CVE-2024-37032). Ollama’s pull mechanism allows path traversal, enabling attackers to load a rogue OCI registry and write arbitrary files. The exploit writes malicious .so files to the target and forces Ollama to spawn a new process that loads the malicious library.

Enhancements and Features (24)

• Pro: Updates the services table to include additional resource information.
• Pro: Updates the single module run page to support default module options. The new order of precedence is: User Selection > Default Target Options > Payload Options.
• Pro: Updates social engineering campaign capabilities with additional details describing how email open tracking may be affected by clients that auto-fetch or block tracking pixels.
• #20710  - Adds support for GHSA (GitHub Security Advisories) and OSV (Open Source Vulnerabilities) references in modules.
• #20807  - Allows Acunetix vulnerabilities to be imported without complete web page data.
• #20859  - Splits exe.rb into separate, more consistent files based on platform and architecture, improving granularity and maintainability.
• #20886  - Enhances services to support child services, enabling improved reporting in the services and vulns commands (e.g., SSL → HTTPS).
• #20895  - Adds negative caching to the LDAP entry cache. Missing objects are now recorded so subsequent lookups by DN, sAMAccountName, or SID return nil without re-querying the directory.
• #20934  - Adds MITRE ATT&CK tags to LDAP and AD CS modules to support ATT&CK-based discovery using the att&ck keyword.
• #20935  - Adds MITRE ATT&CK technique T1558.003 to Kerberoasting modules to support ATT&CK-based discovery.
• #20936  - Adds MITRE ATT&CK tags to SMB account-related modules to support ATT&CK-based discovery.
• #20937  - Adds MITRE ATT&CK tags to SCCM modules that retrieve NAA credentials using different techniques.
• #20938  - Improves the check method in the beyondtrust_pra_rs_unauth_rrce module to detect older vulnerable versions that report version information differently.
• #20941  - Adds a MITRE ATT&CK technique reference to the Windows password cracking module to support ATT&CK-driven discovery.
• #20942  - Adds MITRE ATT&CK technique references to the getsystem, cve_2020_1472_zerologon, and atlassian_confluence_rce_cve_2023_22527 modules to support ATT&CK-driven discovery.
• #20943  - Adds affected version information to the exploits/unix/webapp/twiki_maketext module description.
• #20950  - Updates the vsftp_234_backdoor module to add shell and Meterpreter payloads, improve vulnerability detection, and enhance troubleshooting output.
• #20951  - Moves the default payload into DefaultOptions in the Remote for Mac module for improved consistency.
• #20952  - Enhances the unix/irc/unreal_ircd_3281_backdoor module with additional payload options (including native Meterpreter), debugging logic, and more verbose output.
• #20988  - Improves the SolarWinds exploit module to automatically select the correct SRVHOST value.
• #20992  - Adds a check method to the MS17-010 scanner module to improve metadata for automation workflows.
• #21010  - Adds reporting support for GitLab services.
• #21014  - Fixes a crash when running the LDAP ESC vulnerable certificate finder if LDAP binding fails.

Bugs Fixed (9)

• #20599  - Fixes an issue where running services -p <ports> -u -R could result in a silent file-not-found error when setting RHOSTS from database values.
• #20817  - Fixes a crash caused by the output of the sap_router_portscanner module.
• #20903  - Fixes an issue where #enum_user_directories returned duplicate directories.
• #20906  - Fixes SSH command shells terminating during cmd_exec when a trailing newline is present.
• #20953  - Improves the stability of socket channel support for SSH sessions opened via scanner/ssh/ssh_login.
• #20955  - Ensures temporary RHOST files are cleaned up when using services -p <ports> -u -R.
• #20972  - Fixes false positives in LG Simple Editor check methods.
• #21012  - Improves the GraphQL Introspection Scanner module to correctly handle invalid responses and reduce false positives.
• #21044  - Fixes a crash when using db_import on a nessus with protocols other than tcp or udp.

Offline Update

• https://updates.metasploit.com/packages/a9122bdf1b4a39582bcd2d6d7411a70df44bbf52d6bf91dfdb07ae5b6ba7e013.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version