Jun 30, 2025
4.22.8-2025063001

Introduces four new RCE exploit modules targeting vulnerabilities in vBulletin, WP Tatsu, Window's UNC path handling in .url files, and more.

New module content (4)
Copy link

  • #20235  - This adds an unauthenticated RCE module which exploits a flaw in vBulletin 5.0.0–6.0.3 on PHP 8.1+ by abusing the replaceAdTemplate AJAX endpoint. This vulnerability is identified as CVE-2025-48827 .
  • #20301  - This adds an exploit module for WP Tatsu plugin. (CVE-2021-25094).
  • #20324  - This adds a module for exploitation of CVE-2025-33053 which is a vulnerability in the handling of UNC paths contained in .url files. The module will drop a malicious .url file, which will reach out to an attacker-controlled SMB server where the payload is hosted. An attacker can gain RCE if they can force the user to click on this malicious .url file.
  • #20341  - Adds a new exploits/linux/http/skyvern_ssti_cve_2025_49619 module for exploiting a server side template injection vulnerability in Skyvern <= 0.1.84. It requires an API_KEY to create malicious workflow and gain remote code execution.

Enhancements and features (5)
Copy link

  • Pro: Updates Metasploit Pro from Ruby 3.2.8 to Ruby 3.3.8.
  • #20289  - This adds support to Metasploit’s module references to tag content with IDs from the MITRE ATT&CK framework. This also adds search capabilities for these new IDs that is aware of their hierarchal structure.
  • #20326  - Updates the alias plugin to additionally output the total amount of aliases registered.
  • #20327  - Adds a new -v option to the vulns command which will additionally show any related vuln attempts associated with a vulnerability.
  • #20339  - Makes multiple improvements to the exploits/windows/fileformat/ms_visual_basic_vbp module by adding additional notes, documentation, code quality improvements, and making stability and randomization improvements.

Bugs fixed (3)
Copy link

  • #20336  - Specify the correct architecture ARCH_CMD in exploit/linux/http/opennms_horizon_authenticated_rce. This fixes a bug where users were unable to specify a payload when using this module.
  • #20337  - Specify the correct architecture ARCH_CMD in exploit/linux/http/opentsdb_key_cmd_injection. This fixes a bug where users were unable to specify a payload when using this module.
  • #20346  - This fixes an issue with the php_fpm_rce module, which stopped working after adding a new encoder that increased the size of payload. This address this issue and substitutes the original encoder for smaller base64 encoder.

Offline Update
Copy link

Metasploit Framework and Pro Installers
Copy link