Jun 12, 2025
4.22.7-2025061201

This version introduces 24 new modules, including RCEs for Ivanti EPM and Connect Secure, and Kerberos attack modules. It also features one enhanced module, 16 general enhancements (e.g., UI improvements, SOCKS5H support, Kerberoast and ASREP roasting additions), and 25 bug fixes covering various crashes, UI issues, and module functionalities.

New module content (24)

  • #19472 - This adds a module for udev persistence for Linux targets. The module requires root access because it creates udev rules. It will create a rule under the directory /lib/udev/rules./ and a malicious binary containing the payload. Successful exploitation requires the presence of the at binary on the system.
  • #19777 - Adds a module to install persistence relying on CVE-2024-53326, a dotnet deserialization vulnerability in the startup of Linqpad versions prior to 5.52.
  • #19976 - This enables the creation of PHP payloads wrapped around bash / sh commands.
  • #20020 - This adds a module for Nextcloud Workflow (CVE-2023-26482). Exploitation requires a set of valid credentials. Nextcloud needs to have “Workflow external script” installed and enabled.
  • #20026 - This adds a module for vulnerable file upload in Car Rental System 1.0. It requires a set of valid credentials to receive admin access.
  • #20072 - This adds a fileformat module for the “MalDoc in PDF” technique, which hides a malicious Word document in PDF.
  • #20096 - This adds an exploit module for Gladinet CentreStack/Triofox, which leverages an unsafe deserialization flaw that allows execution of arbitrary commands.
  • #20112 - Adds an exploit module targeting CVE-2025-22457, a Stack-based Buffer Overflow vulnerability in Ivanti Connect Secure 22.7R2.5 and earlier.
  • #20123 - This adds an auxiliary module for two vulnerabilities in PowerCom UPSMON PRO - path traversal and credential harvesting.
  • #20138 - Adds an auxiliary module that targets CVE-2023-27855, a path traversal vulnerability in ThinManager <= v13.0.1to upload an arbitrary file to the target system as SYSTEM.
  • #20139 - Adds an auxiliary module targeting CVE-2023-27856, a path traversal vulnerability in ThinManager <= v13.0.1, to download an arbitrary file from the target system.
  • #20140 - Adds a module targeting the path traversal vulnerability CVE-2023-2915 in ThinManager <= v13.1.0 to delete an arbitrary file from the target system as the SYSTEM user.
  • #20141 - Adds a module targeting CVE-2023-2917, a path traversal vulnerability in ThinManager <= v13.1.0, to upload an arbitrary file as system.
  • #20146 - Adds a new exploit module for the WordPress SureTriggers plugin (≤ 1.0.78) that abuses CVE-2025-3102, an unauthenticated REST endpoint to create an administrative user and achieve remote code execution.
  • #20159 - This adds a module for privilege escalation vulnerability in Registration&Membership plugin for Wordpress. It allows creating a malicious user with administrative privileges.
  • #20160 - Adds two PHP adapters, one for going to ARCH_CMD and one for coming from ARCH_CMD.
  • #20175 - This adds a native Metasploit module for performing Kerberoast attacks. With the native module, users will no longer need to have Python or additional Python libraries in order to leverage the attack technique.
  • #20177 - Clinic Patient’s Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.
  • #20185 - This adds a module for exploiting CVE-2025-2011 which is an unauthenticated SQL injection vulnerability in the “Slider & Popup Builder” plugin versions <= 3.6.1.
  • #20188 - This adds a module for CVE-2024-7399 - arbitrary file write as system authority. The module drops a shell by exploiting this vulnerability, allowing remote code execution. The application communicates on TCP port 7001 for HTTP and TCP port 7002 for HTTPS.
  • #20214 - This adds a new exploit module for Invision Community versions up to and including 5.0.6, which is vulnerable to a remote-code injection in the theme editor’s customCss endpoint CVE-2025-47916. The module leverages the malformed {expression=”…”} construct to evaluate arbitrary PHP expressions and supports both in-memory PHP payloads and direct system command execution.
  • #20256 - This adds a new unauthenticated remote code execution (RCE) module for Remote for Mac software.
  • #20265 - Adds a module chaining CVE-2025-4427 and CVE-2025-4428 an authentication flaw allowing unauthenticated access to an administrator web API endpoint allowing for code execution via expression language injection on many versions of MobileIron Core (rebranded as Ivanti EPMM).
  • #20291 - This adds a module for CVE-2025-49113 - remote code execution by PHP object deserialization. The module requires user credentials for successful exploitation.

Enhanced Modules (1)

Modules which have either been enhanced, or renamed:

  • #20187 - Adds another exploitation vector to the pre-existing wp_suretriggers_auth_bypass module.The module now supports both CVE-2023-27007 and CVE-2023-3102.

Enhancements and features (16)

  • Pro: Adds additional help menu links to multiple pages in Metasploit Pro.
  • Pro: Replaces Disclosed Vulnerabilities with Discovered Vulnerabilities in navigation links and generated reports.
  • Pro: Updates the Vulnerability Validation Wizard tracking status for module runs to show a more accurate result code.
  • Pro: Updates the WebScan to scroll to any form errors when submitted.
  • #19900 - Updates multiple modules notes to now include additional AKA (Also Known As) references for EquationGroup codenames.
  • #19996 - This detects the CxUIUSvcChannel named pipe on target systems.
  • #20098 - Adds support for 32-bit execute-assembly, allowing injection of 64-bit or 32-bit .NET assembly.
  • #20147 - This adds support for the SOCKS5H protocol, allowing DNS resolution through a SOCKS5 proxy.
  • #20175 - This adds a native Metasploit module for performing Kerberoast attacks. With the native module, users will no longer need to have Python or additional Python libraries in order to leverage the attack technique.
  • #20176 - This updates the ASREP roasting module (auxiliary/gather/asrep) to store the hashes in the database.
  • #20180 - This adds a warning to PowerShell use when an impersonation token is active.
  • #20263 - Updates Metasploit to register VulnAttempts for both Exploit and Auxiliary modules.
  • #20264 - This adds propagation of KERB-SUPERSEDED-BY-USER data when included in Kerberos error responses.

Bugs fixed (27)

  • Pro: Fixes a crash when using dev_msfconsole.bat on Windows machines.
  • Pro: Fixes a graphical bug when using the global workspace search capabilities that returned no results.
  • Pro: Fixes the pagination buttons on the search results page from the top-level project search menu.
  • Pro: Fixes pagination on the Web Applications view when there are multiple web applications present.
  • Pro: Fixes a crash when running the Audit Web Apps capabilities in Metasploit Pro. Also adds additional HTTP debug functionality to the WebScan and Exploit Web Apps scans.
  • Pro: Fixes a crash when running the pro_exploit command in the Metasploit console.
  • #19939 - Fixes a bug within multiple modules that caused UI crashes within Metasploit Pro.
  • #20010 - This fixes missing Powershell signature, when SSH is trying to identify the platform.
  • #20111 - Fixes an issue that prevented failed exploit attempts from being registered in the database correctly.
  • #20179 - This bumps the version of Metasploit Payloads to include a fix for the Java Meterpreter’s symlink handling on Windows.
  • #20181 - This fixes an issue in Metasploit’s Wordpress login functionality that would cause it to fail for certain target configurations.
  • #20194 - Fixes a bug in the ThinkPHP RCE module that opted it out of auto-exploitation in Metasploit Pro.
  • #20218 - Fixes an issue in the web crawler’s canonicalize method, which previously resulted in incorrect URIs being returned.
  • #20246 - Fixes an issue within msfvenom when using zutto_dekiru encoder on a raw payload.
  • #20257 - Fixes an issue where the report_note deprecation message calling method incorrectly.
  • #20258 - Updates the datastore options in auxiliary/admin/ldap/shadow_credentials to reference the new LDAP datastore names.
  • #20260 - Updates the auxiliary/admin/ldap/change_password module to use the new LDAP datastore options.
  • #20261 - This updates the vmware_vcenter_vmdir_auth_bypass module and accompanying documentation to refer to the new datastore option name.
  • #20262 - This fixes an issue with the auxiliary/gather/vmware_vcenter_vmdir_ldap module caused by some options that had been changed.
  • #20273 - This fixes multiple issues in the post/windows/manage/remove_host module that would occur when a line had multiple names on it or used tab characters instead of spaces.
  • #20275 - This fixes a bug in the auxiliary/scanner/sap/sap_router_info_request module that would cause it to crash when a corrupted packet was received.
  • #20281 - This fixes an issue in the post/windows/manage/resolve_host module that would occur if the system wasn’t installed to C:\.
  • #20283 - This fixes an issue in the certifried module that was causing it to crash.
  • #20300 - Fixes a regression that stopped Windows hosts from being correctly identified after running the smb_version module.

Offline Update

Metasploit Framework and Pro Installers