Metasploit Pro Version 5.0.0-2026070101 Release Notes
Copy link

Software release date: July 1, 2026 | Release notes published: July 1, 2026

New Module Content (13)
Copy link

  • #21239  - Adds a new linux/loongarch64/exec command payload.
  • #21371  - Exploits authentication failure (CVE-2026-34413), extension blacklist (CVE-2026-34415), and path traversal (CVE-2026-34414) vulnerabilities in Xerte Online Toolkits versions 3.15 and earlier.
  • #21430  - Adds a module that exploits the NTLMRelay2Self attack. It requires a low-privilege user session on a Windows host.
  • #21449  - Adds a new persistence module for Windows and Linux targets that achieves persistence by installing a malicious Joplin plugin. The module executes arbitrary code whenever Joplin starts on the target system.
  • #21472  - Adds a post module that leverages CVE-2026-46333, a vulnerability in the Linux kernel whereby a race condition exists when tearing down a process. This can be exploited by a local attacker to obtain file handles they would not otherwise have access to. In the exploit, this is leveraged to leak the contents of the /etc/shadow file.
  • #21491  - Adds an exploit module for Peyara Remote Mouse v1.0.1 unauthenticated RCE.
  • #21493  - Adds an exploit module for Dalfox Server versions <= 2.12.0 which are vulnerable to an unauthenticated RCE tracked as CVE-2026-45087. The vulnerability allows attackers to send arbitrary commands via the found-action post parameter which gets deserialized and run in the context of the user running the server.
  • #21523  - Adds a new “modem” session type that allows you to open a session to an arbitrary modem and pivot your network traffic over it as if it were a Meterpreter session.
  • #21525  - Adds an exploit module for CVE-2026-0826, an unauthenticated stack based buffer overflow affecting every model in the HP Poly VVX series, and the HP Poly Trio series of VoIP devices when they have the non-default ICE feature enabled. Also adds a new cmd/unix/bind_socat_tcp payload which was required in order to exploit this device.
  • #21565  - Adds audiobookshelf_auth_bypass, a detection module for CVE-2025-25205 — an unauthenticated API authentication bypass in Audiobookshelf (self-hosted audiobook/podcast server), affecting versions 2.17.0 – 2.19.0 (fixed in 2.19.1).
  • #21566  - Adds nextjs_middleware_auth_bypass, a detection module for CVE-2025-29927 (CVSS 9.1) — an authorization bypass in self-hosted Next.js applications.
  • #21567  - Adds auxiliary/scanner/http/litellm_proxy_sqli, a detection module for CVE-2026-42208 (CVSS 9.3, on the CISA KEV list) — a pre-authentication SQL injection in BerriAI LiteLLM proxy.
  • #21581  - Adds the ability to upgrade authenticated SMB sessions to Meterpreter sessions using PsExec techniques.

Enhancements and Features (12)
Copy link

  • Pro: Adds UI improvements to the vulnerabilities table.
  • #21259  - Adds a number of enhancements to msfconsole’s search functionality by cleaning up some inconsistencies and giving users the option to hide the child elements of search results with the -c flag. Also introduces two global options, SearchSort and SearchChildMode, that users can set and forget in order to control ascending/descending search results and whether or not child items appear under search results respectively.
  • #21367  - Adds a number of enhancements to the rexec_login module including more detailed output, a check for an rDNS failure, an update to the module description and removal of duplicate IP:PORT printing.
  • #21369  - Adds a number of enhancements for the vsftpd_232 module. Improves the check method, module output and reporting.
  • #21381  - Adds a number of improvements to the proftpd_133c_backdoor module. Adds a check method, updates module metadata and improves the verbosity of logging.
  • #21396  - Makes improvements to the auth_brute mixin. Adds report_host and report_service calls to the mixin and removes duplicate printing of IP:PORT in the print_brute statements.
  • #21454  - Updates many modules by adding additional details to the check codes that are returned by the #check method, which provides additional information for the user. Also updates the requirements of new modules to contain this extra information moving forward.
  • #21469  - Adds CertificateTrace support to the ldap_login module so operators can trace certificates when LDAP::Auth is set to schannel.
  • #21512  - Updates the Metasploit MCP tool to expose note information on Metasploit modules, as well as host comments.
  • #21527  - Adds authentication support to the MCP server’s HTTP transport by default.
  • #21537  - Adds a plugin to start and stop a model context protocol (MCP) server within msfconsole. When compared to the standalone msfmcpd tool, this has the significant advantage of automatically loading the RPC server within the context of a running framework instance which enables AI tools to assist the operator without needing to restart Metasploit.
  • #21542  - Updates the scanner/redis/redis_server module to output server INFO details as a readable table.
  • #21562  - Updates the usage of rex-socket’s recvfrom method to align with the standard library implementation. Also allows rex-socket to now be used as a drop-in replacement for Ruby’s UDPSocket.

Bugs Fixed (5)
Copy link

  • #21441  - Improves the MCP server lifecycle control and enables graceful shutdowns by transitioning from Rack’s handler to direct Puma server API management.
  • #21570  - Fixes an issue where it was not possible to generate ARM Big Endian payloads.
  • #21571  - Deleted files are now excluded when running msfconsole reload commands.
  • #21618  - Fixes a crash when running the scanner/discovery/udp_sweep module on Windows environments.
  • #21624  - Fixes a bug with SSH session’s debug information showing the incorrect value localuser @ instead of ssh_user @ ssh_ip.

Offline Update
Copy link

Metasploit Framework and Pro Installers
Copy link