Metasploit Release Notes

Adds multiple improvements and support for Active Directory Certificate Services (AD CS) workflows and exploitation.

This release adds 5 new modules, enhances 1 module, and fixes 1 bug. It includes new modules for Xorcom CompletePBX vulnerabilities, a WordPress SQL injection gather module, and fileformat modules for Windows Registry and JScript files.

This release adds 6 new modules and includes fixes to the Quick PenTest wizard, improved vulnerability attempt tracking, security updates and module bug fixes.

Introduces four new RCE exploit modules targeting vulnerabilities in vBulletin, WP Tatsu, Window's UNC path handling in .url files, and more.

This version improves logging when running msfupdate on Linux environments.

This version introduces 24 new modules, including RCEs for Ivanti EPM and Connect Secure, and Kerberos attack modules. It also features one enhanced module, 16 general enhancements (e.g., UI improvements, SOCKS5H support, Kerberoast and ASREP roasting additions), and 25 bug fixes covering various crashes, UI issues, and module functionalities.

Fixes a crash when loading the exploit scan page, as well as other stability improvements.

Introduces several enhancements, including improved web app testing with server name indication support, auxiliary module now show in in the related modules tab, and customizable Nmap host discovery options. New modules include exploits for CVE-2025-32433 and CVE-2025-2264, alongside a login scanner for OPNSense, and more.

This release adds workflow improvements for replaying tasks, and storing PKCS#12 files as credentials in the Manage Credentials page. Improvements have been added for LDAP Active Directory secret extraction, as well as introducing new modules for exploiting BentoML (CVE-2025-32375), Craft CMS (CVE-2025-32432), and more.

This release adds clearer error messages for invalid Nexpose console configuration, additional insights into the HTTP/HTTPS bruteforce targets, a new card view for module search, and fixes and improvements to the backup restoration process, as well as overall service stability when booting. This release also adds support for multiple new exploit modules targeting CrushFTP, pgAdmin, Oracle Access Manager (OAM), and more.