Metasploit Pro Version 5.0.0-2026031101 Release Notes

Software release date: March 12, 2026 | Release notes published: March 12, 2026

New module content (4)

• #20966  - Adds a new module evasion/linux/x64/rc4_packer packer that encrypts the generated payload with RC4, prepends an optional sleep-based delay (nanosleep), and decrypts/executes the payload at runtime via a compact precompiled stub.
• #21001  - Adds a new module for CVE-2025-71243, an unauthenticated PHP code-injection vulnerability in the SPIP Saisies plugin. The injection takes place through _anciennes_valeurs, which allows an attacker to inject a PHP payload.
• #21002  - Adds a new module auxiliary/gather/leakix_search, a new module for LeakIX API - a search engine focused on indexing internet-exposed services and leaked credentials/databases.
• #21017  - Adds an exploit module for CVE-2025-69516, a Jinja2 SSTI in Tactical RMM < 1.4.0 where the reporting template preview endpoint evaluates user-controlled templates without sandboxing, enabling authenticated RCE. The module logs in via the Knox API, auto-detects the API host from /env-config.js, and exploits the template preview feature.

Enhancements and features (7)

• Pro: Adds support for adding arbitrary user defined tags to opened or closed sessions.
• Pro: Adds multiple UI enhancements across Metasploit Pro.
• Pro: Runs additional auxiliary scan detections as part of the Quick PenTest and Automated Exploit workflows.
• Pro: Adds optional SAML Single Sign-On (SSO) support to Metasploit Pro.
• #20885  - Updates the bind_netcat payload to allow it to be smaller by selecting either default or BSD-style netcat command syntax.Previously, the payload ran both command syntaxes combined by an OR operator so wherever it was executed, the payload worked.The default behavior remains to run both, but in the event a user needs a significantly shorter payload, they can select a single netcat syntax and adjust the filenames.
• #20961  - Adds service reporting to Wordpress mixin. Now, when you use Wordpress module, it will automatically report the target as Wordpress if detected.

Bugs fixed (1)

• #21088  - Adds a default value for the Base64Decoder option to fix an issue with shell payloads using the default base64 encoder.

Offline Update

• https://updates.metasploit.com/packages/8e79f10595f11d2d4d765296cad6d8240f1cabf79e33e61da46ffe2e3a8b1b2d.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version