Metasploit Release Notes

Aug 04, 2025
4.22.8-2025080401

Adds multiple improvements and support for Active Directory Certificate Services (AD CS) workflows and exploitation.

Jul 30, 2025
4.22.8-2025073001

This release adds 5 new modules, enhances 1 module, and fixes 1 bug. It includes new modules for Xorcom CompletePBX vulnerabilities, a WordPress SQL injection gather module, and fileformat modules for Windows Registry and JScript files.

Jul 18, 2025
4.22.8-2025071801

This release adds 6 new modules and includes fixes to the Quick PenTest wizard, improved vulnerability attempt tracking, security updates and module bug fixes.

Jun 30, 2025
4.22.8-2025063001

Introduces four new RCE exploit modules targeting vulnerabilities in vBulletin, WP Tatsu, Window's UNC path handling in .url files, and more.

Jun 19, 2025
4.22.7-2025061901

This version improves logging when running msfupdate on Linux environments.

Jun 12, 2025
4.22.7-2025061201

This version introduces 24 new modules, including RCEs for Ivanti EPM and Connect Secure, and Kerberos attack modules. It also features one enhanced module, 16 general enhancements (e.g., UI improvements, SOCKS5H support, Kerberoast and ASREP roasting additions), and 25 bug fixes covering various crashes, UI issues, and module functionalities.

May 22, 2025
4.22.7-2025052201

Fixes a crash when loading the exploit scan page, as well as other stability improvements.

May 12, 2025
4.22.7-2025051201

Introduces several enhancements, including improved web app testing with server name indication support, auxiliary module now show in in the related modules tab, and customizable Nmap host discovery options. New modules include exploits for CVE-2025-32433 and CVE-2025-2264, alongside a login scanner for OPNSense, and more.

May 01, 2025
4.22.7-2025050101

This release adds workflow improvements for replaying tasks, and storing PKCS#12 files as credentials in the Manage Credentials page. Improvements have been added for LDAP Active Directory secret extraction, as well as introducing new modules for exploiting BentoML (CVE-2025-32375), Craft CMS (CVE-2025-32432), and more.

Apr 21, 2025
4.22.7-2025042101

This release adds clearer error messages for invalid Nexpose console configuration, additional insights into the HTTP/HTTPS bruteforce targets, a new card view for module search, and fixes and improvements to the backup restoration process, as well as overall service stability when booting. This release also adds support for multiple new exploit modules targeting CrushFTP, pgAdmin, Oracle Access Manager (OAM), and more.