Release Notes

Enhancements and features (6)

• Pro: Adds a new card view to the module search page to see additional details on modules from that page, such as actions or targets relevant to the search terms, reliability, and side effects.
• Pro: Show additional useful error messages when configuring new Nexpose Consoles.
• Pro: Update the bruteforce attacks page to more clearly show the HTTP/HTTPS targets that will be bruteforced.
• #20015 - Metasploit will now no longer attempt to load external modules with unsupported runtimes as it caused crashes to occur. Now users are notified if they require to install Go or Python3.
• #20024 - Adds a new sslkeylogfile datastore option to HTTP modules to support decrypting SSL/TLS network traffic.

New module content (7)

• #19994 - This adds an exploit module for CVE-2021-35587, an unauthenticated deserialization vulnerability affecting Oracle Access Manager (OAM).
• #20000 - Adds an auxiliary module leveraging CVE-2025-2825, an authentication bypass in CrushFTP 11 < 11.3.1 and 10 < 10.8.4, to obtain working session cookies for the target user account.
• #20007 - This module adds exploit for CVE-2024-55964, a misconfigured PostgreSQL instance in Appsmith, which can lead to remote code execution (RCE).
• #20008 - Module for CVE-2024-12971, command injection in directory settings for PandoraFMS. The module requires admin credentials, but if MySQL with default credentials is exposed, the module creates a new admin profile.
• #20018 - A new module for CVE-2025-2945, authenticated remote code execution in pgAdmin. The vulnerability lies within Query Tool. For successful exploitation, an attacker needs a set of valid credentials for pgAdmin and credentials for target database.
• #20022 - This adds a module for CVE-2025-3248, an unauthenticated RCE vulnerability that affects Langflow versions prior to 1.3.0.
• #20041 - This adds a module for an unauthenticated remote code execution in BentoML (CVE-2025-27520).

Bugs fixed (5)

• Pro: Fixes a bug when performing backup/restore functionality on non-systemd environments.
• Pro: Fixes a startup bug where the Metasploit Pro Service would attempt to start up before the Metasploit PostgreSQL service was ready.
• #20013 - Fixes a crash when using the module search cache with an integer.
• #20036 - Fixes an issue with the exploit/windows/local/unquoted_service_path module that previously claimed a file upload was successful regardless of whether the file upload was successful or not.
• #20043 - Update Open WAN-to-LAN proxy on AT&T routers error handling when an older Python version is detected.

Offline Update

• https://updates.metasploit.com/packages/512244cfc0c6a1db8a85fb0bab5de72f4ed0911c533f97a9cbcb138d16aed7a7.bin

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version