Metasploit Pro Version 5.0.0-2026042601 Release Notes
Copy link

Software release date: April 26, 2026 | Release notes published: April 27, 2026

New Module Content
Copy link

  • #20752  - Adds a new auxiliary/admin/http/web_enrollment_cert module that allows certificates to be issued from an Active Directory Certificate Services Web Enrollment portal. Its usage is the same as the auxiliary/admin/http/icpr_cert module but enables operators to issue certificates when the web enrollment portal is accessible but the MS-ICPR service is not.
  • #20839  - Adds a new persistence module that uses Microsoft BITS to maintain access to the system.
  • #20843  - Adds a new persistence module, exploit/windows/persistence/telemetry, that abuses the Windows Telemetry scheduled task (Microsoft Compatibility Appraiser / CompatTelRunner) to establish persistence. The module writes a payload to disk and configures the telemetry task to execute it, resulting in a SYSTEM-level Meterpreter session either on the next scheduled run or immediately on demand. Requires an admin-level Meterpreter session on the target.
  • #20933  - Adds a new persistence module that uses PowerShell profiles to maintain access.
  • #20948  - Adds an auxiliary module to exploit CVE-2026-22200, an authenticated file read vulnerability in osTicket.
  • #21003  - Replaces the two separate Selenium Grid RCE modules (Chrome and Firefox) with a single unified module that auto-detects available browsers and selects the best attack vector. The module targets unauthenticated Selenium Grid and Selenoid instances, supporting two techniques: a Firefox profile handler injection that works on all Grid versions including the latest (never patched since 2021), and a Chrome binary override for Grid versions prior to 4.11.0 and all Selenoid versions. No authentication is required.
  • #21034  - Adds a new exploit module for openDCIM that chains three vulnerabilities (https://github.com/advisories/GHSA-mg2w-x76x-59h8 , https://github.com/advisories/GHSA-prmh-rp39-qc4m , https://github.com/advisories/GHSA-428h-8xhf-g3cw ) to achieve remote code execution.
  • #21075  - Adds an auxiliary module for CVE-2026-28501, an unauthenticated SQL injection in AVideo <= 22.0, along with a new BenchmarkBasedBlind SQLi mixin class and blind extraction improvements.
  • #21095  - Adds a new exploit module for CVE-2025-68109, targeting a file upload vulnerability in ChurchCRM leading to RCE. This module works on ChurchCRM version 6.2.0 and earlier.
  • #21122  - Adds an auxiliary module to exploit an arbitrary file vulnerability, CVE-2024-46987, on Camaleon CMS >= 2.8.0 as well as 2.9.0.
  • #21158  - Adds an auxiliary module to exploit an authentication bypass vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller. Recently exploited in the wild as a zero-day.
  • #21238  - Adds a new linux/loongarch64/chmod payload to change the permissions of a specified file.
  • #21260  - Adds an exploit module for CVE-2026-27966, a prompt injection RCE vulnerability in Langflow < 1.8.0. By creating and sending a specially-crafted flow containing Python code, LangChain will execute that code because LangChain’s Read-Eval-Print Loop (REPL) is exposed by default and runs any Python code it is given.

Enhancements and Features
Copy link

  • Pro: Updates the network topology graph to also show bruteforcible services that are present on a host.
  • Pro: Adds multiple improvements to the quick pentest and exploit host vulnerability tracking capabilities.
  • #20814  - Updates the Windows service-for-user persistence technique.
  • #20973  - Enables command execution for non-interactive HWBridge sessions via the sessions -c flag. Additionally, the hwbridge/connect module now preserves parsed JSON error bodies from failed HTTP responses, which improves error messaging.
  • #20977  - Updates the exploit/unix/webapp/php_eval module to have a FORMDATA datastore option, which adds HTTP POST-request support and makes the HEADERS datastore option consistent with other modules.
  • #20979  - Updates the exploit/unix/webapp/php_include module with additional datastore options and makes its usage more consistent with the similar exploit/unix/webapp/php_eval module.
  • #21019  - Adds support for phpMyAdmin v3.1.x to the phpMyAdmin Config File Code Injection module (CVE-2009-1285). Also adds a check method.
  • #21031  - Enhances Metasploit’s LDAP/ADCS-related modules to automatically report related services (LDAP, DCERPC/ICertPassage/ADCS CA) and to improve vulnerability reporting by associating findings with the affected LDAP object’s DN (and, for ADCS template findings, the template name) so results are uniquely keyed and easier to interpret.
  • #21078  - Adds multiple improvements to the multi/http/churchcrm_install_unauth_rce module.
  • #21085  - Refactors the Block API code used by Windows payloads to leverage a new version of the hashing algorithm. Also fixes a bug whereby the MaximumLength field was used when calculating UNICODE_STRING names when it should have been the Length field.
  • #21229  - Updates the msfvenom utility to use the metadata cache. The result is roughly 2x faster execution times when listing modules.
  • #21230  - Reduces the memory footprint of the module metadata cache in Metasploit.
  • #21231  - Improves the performance of the module metadata cache and includes additional bug fixes.
  • #21232  - Adds a method to discover writable directories on Unix targets using the find command.
  • #21236  - Adds riscv64le and riscv32le architecture support to the fileless fetch payload adapter. This enables in-memory ELF execution via memfd_create on RISC-V Linux targets without writing to disk.
  • #21252  - Adds a new with_adcs_certificate_request method now used by both the MsIcpr and WebEnrollment mixins that abstracts away the enrollment process and takes a block that performs the actual request. The result is consolidation of messages and post-processing of the successfully issued certificate.
  • #21255  - Updates two Python payloads (cmd/unix/reverse_python and cmd/unix/reverse_python_ssl) to make the PythonPath option optional. When omitted, it defaults to a shim that will determine the appropriate version of Python at runtime using a small bash expression.
  • #21256  - Updates code and adds features: Linux support, check() method, and cleanup after exploit.
  • #21275  - Adds multiple improvements to the cve_2025_14847_mongobleed module, such as adding a dedicated check method, improved compression support detection as only zlib can be exploited, and resolving other false positives.
  • #21289  - Updates the db.hosts RPC call to now additionally include the comments associated with the host.
  • #21291  - Updates the module.info RPC call to now additionally include the notes associated with the module.
  • #21304  - Improves multiple auxiliary module check code messages and statuses.
  • #21307  - Improves vulnerability and vulnerability attempt tracking in Metasploit. Additional details are now registered, giving operators richer context when reviewing discovered vulnerabilities.
  • #21347  - Improves the OS version detection in the smb_version module when the target supports SMB version 1.

Bugs Fixed
Copy link

  • Pro: Fixes a crash when running the ADCS MetaModule on Windows environments.
  • #21027  - Fixes ELF shared object (elf-so) payload generation failing on 32-bit ARM Linux and RISC-V 32-bit LE targets. The _start entry point in the ARM LE template was landing at a non-word-aligned offset, which violates the architecture’s 4-byte alignment requirement and caused the shared object to fail to load. The templates now use proper NASM align directives to ensure correct entry point alignment, and a similar fix is applied to the RISC-V 32-bit LE template.
  • #21153  - Fixes an issue with some mutable constant datastore options. Using shared options like CHOST or CPORT no longer changes visibility across modules.
  • #21268  - Fixes a crash with a small number of auxiliary modules when the check method was run and the vulnerability wasn’t present.
  • #21287  - Fixes the EXE templates that were rebuilt in https://github.com/rapid7/metasploit-framework/pull/20502  to work on legacy Windows targets like Server 2000 in case you find yourself in a combination hacking and time-travelling movie.
  • #21309  - Fixes a false positive in the fortinet_fortiweb_create_admin module when detecting the presence of an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface.
  • #21327  - Fixes a crash when loading HTTP modules.
  • #21341  - Fixes multiple issues related to various SMB modules when targeting Samba.
  • #21344  - Fixes a bug when running the check method for scanner/http/elasticsearch_traversal against non-vulnerable targets.
  • #21346  - Fixes a false positive that was present in auxiliary/scanner/couchdb/couchdb_enum.

Offline Update
Copy link

Metasploit Framework and Pro Installers
Copy link