Metasploit Pro Version 5.0.0-2026051301 Release Notes
Copy link

Software release date: May 13, 2026 | Release notes published: May 13, 2026

New Module Content (2)
Copy link

  • #21323  - Adds a new NTLM relay module that relays from HTTP to LDAP. On success, an authenticated LDAP session is opened which allows the operator to interact with the LDAP service in the context of the relayed identity.
  • #21395  - Adds a module for CVE-2026-31431 (The Copy Fail LPE for Linux), a local privilege escalation affecting almost every Linux kernel since 2017.

Enhancements and Features (15)
Copy link

  • Pro: Updates the services table to show additional service hierarchy details.
  • Pro: Updates the single module run page to accept a single port, previously only a port range was accepted.
  • Pro: Adds OpenSSL configuration for Postgres.
  • Pro: Updates task logs authentication logic.
  • Pro: Uploading and deleting resource scripts now requires admin access.
  • Pro: Improves stability for RHEL 10 installation targets, and adds additional error logging when creating backups.
  • Pro: Improves performance for the workspace dashboard.
  • #21315  - Adds a read-only MCP server for Metasploit capable of retrieving information from the loaded modules and database.
  • #21342  - Defers the loading of some dependencies to improve console boot time.
  • #21352  - Improves multiple module check code messages and statuses.
  • #21372  - Updates the FTP anonymous scanner module. Key changes include moving the module to align with other generic FTP modules, adding and updating CVE references and documentation notes, and cleaning up the output to be more verbose. Additionally, the module now reports service and vulnerability data to the database and stores exploitation evidence in the loot upon a successful run.
  • #21380  - Updates multiple FTP modules to now register FTP service information in the database when successfully connecting to an FTP service.
  • #21404  - Extends support for Copy Fail to ARMLE Linux targets.
  • #21410  - Improves the exploit/multi/http/shiro_rememberme_v124_deserialize module by adding a JAVA_GADGET_CHAIN datastore option that allows the operator to adjust the chain used for deserialization. This enables the module to exploit additional targets.
  • #21418  - Improves the platform-agnostic library used to obtain the OS architecture with support for shell sessions on Linux, BSD, and macOS.

Bugs Fixed (10)
Copy link

  • Pro: Fixes an issue where Basic Payload Options were being restored to default whenever attempting to replay a module.
  • Pro: Improves stability with the diagnostics script generation on Linux machines with newer versions of OpenSSL present, such as RHEL 9 and RHEL 10.
  • Pro: Fixes Target Settings not persisting when replaying a module. Previously it would return to the default setting after every run. Now it will populate the previously selected option.
  • Pro: Fixes a crash when attempting to install on RHEL 10.
  • Pro: Fixes an edge case with the error handling when sending phishing campaign emails.
  • #21314  - Fixes a crash when running the scanner/http/trace module with the database enabled and a vulnerability was reported.
  • #21411  - Fixes a bug in the linux/x64/exec payload caused by the CMD datastore option not being escaped before being placed in the assembly source.
  • #21413  - Fixes a logic error in the exploits/linux/http/projectsend_unauth_rce module that incorrectly checked if a new user has been created.
  • #21421  - Adds extra validation to report_vuln and delete_vuln in Msf::DBManager::Vuln to ensure required fields are present and avoid a crash.
  • #21425  - Fixes a bug when parsing FTP server responses.

Offline Update
Copy link

Metasploit Framework and Pro Installers
Copy link