Metasploit Pro Version 5.0.0-2026070101 Release Notes
Software release date: July 1, 2026 | Release notes published: July 1, 2026
New Module Content (13)
- #21239 - Adds a new
linux/loongarch64/execcommand payload. - #21371 - Exploits authentication failure (CVE-2026-34413), extension blacklist (CVE-2026-34415), and path traversal (CVE-2026-34414) vulnerabilities in Xerte Online Toolkits versions 3.15 and earlier.
- #21430 - Adds a module that exploits the NTLMRelay2Self attack. It requires a low-privilege user session on a Windows host.
- #21449 - Adds a new persistence module for Windows and Linux targets that achieves persistence by installing a malicious Joplin plugin. The module executes arbitrary code whenever Joplin starts on the target system.
- #21472 - Adds a post module that leverages CVE-2026-46333, a vulnerability in the Linux kernel whereby a race condition exists when tearing down a process. This can be exploited by a local attacker to obtain file handles they would not otherwise have access to. In the exploit, this is leveraged to leak the contents of the
/etc/shadowfile. - #21491 - Adds an exploit module for Peyara Remote Mouse v1.0.1 unauthenticated RCE.
- #21493 - Adds an exploit module for Dalfox Server versions <= 2.12.0 which are vulnerable to an unauthenticated RCE tracked as CVE-2026-45087. The vulnerability allows attackers to send arbitrary commands via the
found-actionpost parameter which gets deserialized and run in the context of the user running the server. - #21523 - Adds a new “modem” session type that allows you to open a session to an arbitrary modem and pivot your network traffic over it as if it were a Meterpreter session.
- #21525 - Adds an exploit module for CVE-2026-0826, an unauthenticated stack based buffer overflow affecting every model in the HP Poly VVX series, and the HP Poly Trio series of VoIP devices when they have the non-default ICE feature enabled. Also adds a new
cmd/unix/bind_socat_tcppayload which was required in order to exploit this device. - #21565 - Adds
audiobookshelf_auth_bypass, a detection module for CVE-2025-25205 — an unauthenticated API authentication bypass in Audiobookshelf (self-hosted audiobook/podcast server), affecting versions 2.17.0 – 2.19.0 (fixed in 2.19.1). - #21566 - Adds
nextjs_middleware_auth_bypass, a detection module for CVE-2025-29927 (CVSS 9.1) — an authorization bypass in self-hosted Next.js applications. - #21567 - Adds
auxiliary/scanner/http/litellm_proxy_sqli, a detection module for CVE-2026-42208 (CVSS 9.3, on the CISA KEV list) — a pre-authentication SQL injection in BerriAI LiteLLM proxy. - #21581 - Adds the ability to upgrade authenticated SMB sessions to Meterpreter sessions using PsExec techniques.
Enhancements and Features (12)
- Pro: Adds UI improvements to the vulnerabilities table.
- #21259 - Adds a number of enhancements to
msfconsole’s search functionality by cleaning up some inconsistencies and giving users the option to hide the child elements of search results with the-cflag. Also introduces two global options,SearchSortandSearchChildMode, that users can set and forget in order to control ascending/descending search results and whether or not child items appear under search results respectively. - #21367 - Adds a number of enhancements to the
rexec_loginmodule including more detailed output, a check for an rDNS failure, an update to the module description and removal of duplicateIP:PORTprinting. - #21369 - Adds a number of enhancements for the
vsftpd_232module. Improves the check method, module output and reporting. - #21381 - Adds a number of improvements to the
proftpd_133c_backdoormodule. Adds a check method, updates module metadata and improves the verbosity of logging. - #21396 - Makes improvements to the
auth_brutemixin. Addsreport_hostandreport_servicecalls to the mixin and removes duplicate printing ofIP:PORTin theprint_brutestatements. - #21454 - Updates many modules by adding additional details to the check codes that are returned by the
#checkmethod, which provides additional information for the user. Also updates the requirements of new modules to contain this extra information moving forward. - #21469 - Adds
CertificateTracesupport to theldap_loginmodule so operators can trace certificates whenLDAP::Authis set toschannel. - #21512 - Updates the Metasploit MCP tool to expose note information on Metasploit modules, as well as host comments.
- #21527 - Adds authentication support to the MCP server’s HTTP transport by default.
- #21537 - Adds a plugin to start and stop a model context protocol (MCP) server within
msfconsole. When compared to the standalonemsfmcpdtool, this has the significant advantage of automatically loading the RPC server within the context of a running framework instance which enables AI tools to assist the operator without needing to restart Metasploit. - #21542 - Updates the
scanner/redis/redis_servermodule to output serverINFOdetails as a readable table. - #21562 - Updates the usage of rex-socket’s
recvfrommethod to align with the standard library implementation. Also allows rex-socket to now be used as a drop-in replacement for Ruby’sUDPSocket.
Bugs Fixed (5)
- #21441 - Improves the MCP server lifecycle control and enables graceful shutdowns by transitioning from Rack’s handler to direct Puma server API management.
- #21570 - Fixes an issue where it was not possible to generate ARM Big Endian payloads.
- #21571 - Deleted files are now excluded when running
msfconsolereload commands. - #21618 - Fixes a crash when running the
scanner/discovery/udp_sweepmodule on Windows environments. - #21624 - Fixes a bug with SSH session’s debug information showing the incorrect value
localuser @instead ofssh_user @ ssh_ip.