Metasploit Pro Recent Releases / Apr 06, 2025

Apr 06, 20254.22.7-2025040601

Improved

  • Pro: Updates Metasploit Pro's search capabilities with performance improvements, pagination, the ability to search for fetch payloads, searching multiple new fields (targets, actions, etc), and refined search terms are now supported. Now searching for postgres login will only show modules matching both search terms instead of either terms.
  • Pro: Adds support for replaying previously run MetaModules from the tasklist view. The Replay button will return the user to the MetaModule menu with previously saved inputs. The user may then adjust inputs if applicable, and then the user can launch the MetaModule workflow again.
  • Pro: The modules search page now highlights matching search terms in the search results table.
  • Pro: The modules search page has replaced the usage of stars to represent module ranking, and now values such as 'excellent', 'great', 'normal' etc are used. Hovering a mouse above these values will provide a description about their behaviors.
  • Pro: Improves the start up performance of Metasploit Pro's inbuilt diagnostic console which is available through the web browser.
  • Pro: Enhances the module search functionality to allow linking to specific queries and search result pages. It is now also possible to select the example search keywords table and see the returned results.
  • Pro: New social engineering campaigns will now be highlighted.
  • Pro: Increases the time allowed to connect successfully to a Nexpose host from 5 seconds to 30.
  • PR 19606 - This updates the LDAP modules to use datastore options for authentication that are prefixed with LDAP, allowing them to be used as larger workflows that merge datastore options for multiple protocols.
  • PR 19639 - Adds support for the check method in relay modules and updates the two relay modules present in Metasploit Framework. In the case of the SMB Relay module, this checks if the target has SMB signing disabled. In the case of ESC8, it checks that the target URI responds with a 401 and offers NTLM as an authentication mechanism.
  • PR 19736 - This update adds support for the new Pkcs12 data format, allowing the CA and AD CS template to be stored as metadata in the database. Additionally, Pkcs12 passwords can now be stored as metadata, with validation ensuring correct passwords are provided when adding encrypted Pkcs12 files using the creds command.
  • PR 19879 - this updates the existing MsDtypSecurityDescriptor class to include a #to_sddl_text method. This allows an initialized object to be displayed using the Security Descriptor Definition Language defined by Microsoft.
  • PR 19884 - Add OSVDB search functionality to msfconsole e.g. search osvdb:67241.
  • PR 19885 - Improve msfconsole's module search performance by caching search regexes.
  • PR 19887 - Updates the reload_lib command to ignore Gemfiles.
  • PR 19917 - This adds Crypto primitives for AES key derivation (NIST SP 800 108) and AES key unwrapping (NIST SP 800 38f) replacing RubySMB's implementation which does not support all of the parameters.
  • PR 19927 - This improves the support of several Linux distros on the library function get_sysinfo in Msf::Post:Linux::System.
  • PR 19933 - Updates the auxiliary/scanner/ldap/ldap_login module with a new CreateSession option which controls the opening of an interactive LDAP session. This functionality was previously behind a feature flag, but is now enabled by default.
  • PR 19946 - Adds a warning that intends to help users that are performing relay attacks. It notes that the attack won't work when relaying SMB to SMB on the same host if the MS08-068 patch has been applied.
  • PR 19984 - This improves AD CS workflows by adding additional error handling.

Fixed

  • Pro: Fixes the broken file upload and file deletion functionality for open sessions.
  • Pro: Fixes an issue for Linux users where Metasploit Pro would not start its services again after a successful update. Users were previously required to manually start these services again.
  • Pro: Ensures the task chain list is correctly refreshed after stopping a task chain.
  • Pro: Fix an edgecase crash when attempting to view a task that has generated no logs yet.
  • Pro: Fixes a bug which caused metamodules to be marked as still running, even though the associated task had completed successfully already.
  • Pro: Fixes a bug in the global project search capabilities that led to no search results being returned if additional whitespace was present in the user's search string.
  • Pro: Fixes a bug on smaller screen resolutions that stopped users from selecting values within the Choose a Nexpose console dropdown menu when importing data to Metasploit Pro.
  • Pro: Fixes a bug that stopped multiple offline installs from being run consecutively.
  • Pro: Fixes a bug when using msfpro on the command line with arguments containing spaces, ie. /opt/metasploit/msfpro -- -x "pro_project example-project-name".
  • Pro: Fixes a crash when rendering MetaModule statistic names.
  • Pro: Fixes a crash when visiting the global backup page under specific circumstances.
  • PR 19745 - This adds an escape_args method to all CommandShells that finds the appropriate OS escaping routines for an SSH server.
  • PR 19810 - This updates the Kemp LoadMaster Local sudo privilege escalation exploit by adding a verification to the file content checks so that the module doesn't crash when trying to open files that do not exist. It also adds a proper CVE to the references section now that a CVE exists.
  • PR 19871 - This fixes the ELF template file for Linux aarch64 payloads.
  • PR 19875 - Adds a fix for the odd behavior of the read syscall on Raspberrypi 4b. For some reason, on the Raspberry Pi 4B, the data read from the socket is not present immediately after the read syscall, so we added a sync syscall. This behavior is not present in Raspberry Pi 3, Raspberry Pi 5, emulators, or Microsoft's AARCH64 Devkit.
  • PR 19893 - This removes a CVE reference from an LPE because the vulnerability identified by the CVE is not exploited in the LPE module. The CVE was instead referring to an RCE which lead to the discovery of the technique employed by the RCE. The LPE technique was never acknowledged by the vendor as a vulnerability.
  • PR 19902 - This fixes the byte to integer and integer to byte conversion in the MsAdts library used by the Shadow Credentials module.
  • PR 19919 - This fixes an issue in the gather/ldap_esc_vulnerable_cert_finder that would come up when checking templates for ESC13 that had missing issuance policy OIDs.
  • PR 19922 - Fixes a crash when searching by target, i.e. search targets:python.
  • PR 19925 - Fixes a bug that caused a module's validation logic to not always be executed.
  • PR 19932 - Fixes a crash when running the exploits/windows/mssql/mssql_payload module against previously opened Microsoft SQL Server sessions.
  • PR 19934 - This addresses several bugs in the exploit/linux/misc/cisco_ios_xe_rce module, which was failing for Cisco IOS XE version 17.06.05 on C8000v series appliances. Fixes include correcting the /webui URI to /webui/ (with a trailing slash) and adjusting the case sensitivity in the /webui_wsma_https URI for both CSR1000v and C8000v appliances. Additionally, the module now properly distinguishes between HTTPS and HTTP targets, ensuring compatibility with both appliance series.
  • PR 19937 - Fixes a crash when a running HTTP server attempted to perform HTML escaping.
  • PR 19944 - Enhancing existing module for CVE-2025-0655 by adding dynamically generated session for bypassing authentication.
  • PR 19955 - Updates the way we tag URLs in gather/ldap_esc_vulnerable_cert_finder to better support vulnerability reporting.
  • PR 19960 - This fix adds more reliable check method and takes into account the revision number when running the Windows Kernel Time of Check Time of Use LPE (CVE-2024-30038) module.
  • PR 19962 - This preemptively updates the API host for the ZoomEye search module to reflect changes made by the upstream organization.
  • PR 19987 - This updates the Ivanti and SonicWall Bruteforce modules to use #initialize methods that accept a single argument as the LoginScanner classes should. It also renames the modules to follow the standard convention and adds a small fix to catch an unhandled connection error that was being thrown by the SonicWall module.
  • PR 19993 - This fixes an issue where payloads using cmd/base64 encoder with badchars \x20 (space) failed due to syntax errors in POSIX shells when $ followed parentheses. Removed unnecessary spaces from the payload to ensure proper execution in Unix-based environments.
  • PR 19998 - Fixes a crash when running the auxiliary/crawler/msfcrawler module.

Modules

  • PR 19712 - Adds an auxiliary module which performs the retrieval of Network Access Account (NAA) credentials from an System Center Configuration Manager (SCCM) server. Given a computer name and password (which can typically be created by a standard AD domain user), a misconfigured SCCM server will give NAA creds when requested.
  • PR 19802 - Local Privilege Escalation for Windows, exploiting CVE-2024-30085. It allows users to escalate an existing session to the higher privileges.
  • PR 19832 - Adds a module that runs an SMB capture server that relays the credentials to one or more LDAP servers, verifies the credentials, and can establish an LDAP session with the relayed authentication.
  • PR 19841 - Adds support for CVE-2024-24578, an unauthenticated file write and ZipSlip vulnerability allowing attackers to upload a compressed file that will not be bounds checked and expanded automatically, allowing the overwrite of arbitrary files. In this case, we overwrite the watchdog script, run by cron every 5 minutes.
  • PR 19850 - Adds fetch-payload support for aarch64, armbe, armle, mipsbe, mipsle, ppc, ppc64 and ppc64le payloads.
  • PR 19877 - The module exploits two bugs CVE-2024-12356 and CVE-2025-1094, an argument injection in BeyondTrust code base and SQL injection in PostgreSQL code base, respectively.
  • PR 19878 - This adds an auxiliary module for credential harvesting on MySCADA MyPro Manager using CVE-2025-24865 and CVE-2025-22896.
  • PR 19881 - This adds an auxiliary module allowing arbitrary file read on vulnerable (CVE-2024-48766) NetAlertX targets.
  • PR 19883 - This adds an exploit module for InvokeAI unauthenticated RCE (CVE-2024-12029).
  • PR 19894 - This adds an auxiliary module for SimpleHelp, the vulnerability (CVE-2024-57727) is a path traversal which allows arbitrary file read.
  • PR 19897 - This adds an exploit module for Invoice Ninja, the vulnerability (CVE-2024-55555) is an unauthenticated RCE exploitable by having the APP_KEY value for the Laravel installation.
  • PR 19899 - This module exploits a bypass (CVE-2025-0655) for older vulnerability (CVE-2024-3408), leading to remote code execution (RCE) in D-Tale, a visualizer for pandas data structures.
  • PR 19947 - This adds an exploit module for CVE-2025-27217, a .NET deserialization vulnerability for Sitecore.
  • PR 19950 - Deserialization module for CVE-2024-55556, exploiting unauthenticated PHP deserialization vulnerability in InvoiceShelf.
  • PR 19957 - This adds an exploit for CVE-2023-36255 which is an authenticated command injection vulnerability in Eramba.
  • PR 19974 - This adds an auxiliary module for an Unauth Blind Boolean SQLi (CVE-2025-24799) vulnerability in GLPI <= 1.0.18 when the Inventory Plugin is installed and enabled.
  • PR 19980 - This adds an exploit module for CMSMadeSimple <= v2.2.21, vulnerable to an authenticated RCE (CVE-2023-36969).
  • PR 19985 - This PR adds a login scanner module for pfSense which can be used to brute force valid credentials to the web GUI.
  • PR 19987 - This updates the Ivanti and SonicWall Bruteforce modules to use #initialize methods that accepts a single argument as the LoginScanner classes should. It also renames the modules to follow the standard convention and adds a small fix to catch an unhandled connection error that was being thrown by the SonicWall module.
  • PR 19995 - This adds an exploit Module for CVE-2025-24813, a deserialization vulnerability in Apache Tomcat.
  • PR 19935 - This adds a module to brute-force the login credentials for SonicWall NSv HTTP Login.

Offline Update

Metasploit Framework and Pro Installers