Metasploit Release Notes

Introduces four new RCE exploit modules targeting vulnerabilities in vBulletin, WP Tatsu, Window's UNC path handling in .url files, and more.

This version improves logging when running msfupdate on Linux environments.

This version introduces 24 new modules, including RCEs for Ivanti EPM and Connect Secure, and Kerberos attack modules. It also features one enhanced module, 16 general enhancements (e.g., UI improvements, SOCKS5H support, Kerberoast and ASREP roasting additions), and 25 bug fixes covering various crashes, UI issues, and module functionalities.

Fixes a crash when loading the exploit scan page, as well as other stability improvements.

Introduces several enhancements, including improved web app testing with server name indication support, auxiliary module now show in in the related modules tab, and customizable Nmap host discovery options. New modules include exploits for CVE-2025-32433 and CVE-2025-2264, alongside a login scanner for OPNSense, and more.

This release adds workflow improvements for replaying tasks, and storing PKCS#12 files as credentials in the Manage Credentials page. Improvements have been added for LDAP Active Directory secret extraction, as well as introducing new modules for exploiting BentoML (CVE-2025-32375), Craft CMS (CVE-2025-32432), and more.

This release adds clearer error messages for invalid Nexpose console configuration, additional insights into the HTTP/HTTPS bruteforce targets, a new card view for module search, and fixes and improvements to the backup restoration process, as well as overall service stability when booting. This release also adds support for multiple new exploit modules targeting CrushFTP, pgAdmin, Oracle Access Manager (OAM), and more.

Enhances the module search capabilities, users can now search for fetch payloads and refine their search results with additional search terms. Adds support for replaying previously run modules and MetaModules from the tasklist view. Fixes multiple bugs including improvements for Linux targets. Adds new exploits targeting BeyondTrust, MySCADA, SCCM and more.

Fixes outdated documentation links. Users can now right-click and paste wordlists into the bruteforce page. Includes fixes for the stop tasks button not visually updating the module status, and better error handling when failing to reset the user's password. Multiple enhancements for LDAP and ESC features including ESC15 patch detection within the `icpr_cert` module. New modules include support for targeting CraftCMS, LibreNMS, mySCADA, and more.

The module run page now allows users to select between executing the check or run capabilities of a Metasploit module. This release also contains multiple stability improvements including reduced startup time, enhanced support for restoring backups on newer versions of Chrome, enhanced diagnostics tooling, and more.