Metasploit | Penetration Testing Software, Pen Testing Security

Knowledge is power, especially when it’s shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

Title	Date	Author
Land #20999, removes older persistence module Remove obsolete windows/local/persistence in favor of windows/persistence/registry	Mar 31, 2026	msutovsky-r7
Land #21029, adds module for Grav CMS (CVE-2025-50286) Adds exploit module for Grav CMS (CVE-2025-50286)	Mar 31, 2026	msutovsky-r7
Land #20835, adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548) Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)	Mar 25, 2026	msutovsky-r7
Land #20719, adds module for authenticated command injection in FreePBX filestore (CVE-2025-64328) Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)	Mar 13, 2026	msutovsky-r7
Land #20730, Allow toggling the SACL in LDAP queries # Release Notes This update modifies the ldap_query module to skip querying the SACL (System Access Control List) on security descriptors by default. This behavior is now controlled by a new option, LDAP::QuerySacl. This change is necessary when using a non-privileged user to query security descriptors via LDAP; otherwise, querying the SACL will cause the entire query to be blocked, resulting in no security descriptors being returned.	Mar 11, 2026	cdelafuente-r7
Revert "Land #20852, exposes encoder options for exploit and payloads" This reverts commit 96958dedbbccb88d545356fed5950911f6160a4f, reversing changes made to 8e03b6e98a094c8d1d54fba9489069f93ecd0cd9.	Mar 10, 2026	adfoster-r7

Title

Date

Author

Land #20999, removes older persistence module Remove obsolete windows/local/persistence in favor of windows/persistence/registry

Mar 31, 2026

msutovsky-r7

Land #21029, adds module for Grav CMS (CVE-2025-50286) Adds exploit module for Grav CMS (CVE-2025-50286)

Mar 31, 2026

msutovsky-r7

Land #20835, adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548) Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)

Mar 25, 2026

msutovsky-r7

Land #20719, adds module for authenticated command injection in FreePBX filestore (CVE-2025-64328) Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)

Mar 13, 2026

msutovsky-r7

Land #20730, Allow toggling the SACL in LDAP queries # Release Notes This update modifies the ldap_query module to skip querying the SACL (System Access Control List) on security descriptors by default. This behavior is now controlled by a new option, LDAP::QuerySacl. This change is necessary when using a non-privileged user to query security descriptors via LDAP; otherwise, querying the SACL will cause the entire query to be blocked, resulting in no security descriptors being returned.

Mar 11, 2026

cdelafuente-r7

Revert "Land #20852, exposes encoder options for exploit and payloads" This reverts commit 96958dedbbccb88d545356fed5950911f6160a4f, reversing changes made to 8e03b6e98a094c8d1d54fba9489069f93ecd0cd9.

Mar 10, 2026

adfoster-r7

Latest Pull Requests

Name	Labels	Author
Update the cached payload size	easy , rn-no-release-notes	zeroSteiner
Fix crash with frozen string literals	bug , easy , rn-no-release-notes	adfoster-r7
Fix: small typo's in Documentation	docs , easy , rn-documentation	dineshg0pal
Remove "frozen_string_literal: true" directive		bcoles
Add additional validation to db_import	rn-enhancement	adfoster-r7
Added beginner-friendly contribution steps	needs-unique-branch	mitaliiiiiiii

Name

Labels

Author

Update the cached payload size

easy , rn-no-release-notes

zeroSteiner

Fix crash with frozen string literals

bug , easy , rn-no-release-notes

adfoster-r7

Fix: small typo's in Documentation

docs , easy , rn-documentation

dineshg0pal

Remove "frozen_string_literal: true" directive

bcoles

Add additional validation to db_import

rn-enhancement

adfoster-r7

Added beginner-friendly contribution steps

needs-unique-branch

mitaliiiiiiii

Create a Pull Request

Recent Blog Posts

Fri Apr 03 2026

Metasploit Wrap-Up 04/03/2026

Additional Adapters and More ModulesThis week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows user...

Fri Mar 27 2026

Metasploit Wrap-Up 03/27/2026

Better NTLM Relaying FunctionalityThis week’s release brings an improvement to the SMB NTLM relay server. In the past, it’s support has been expanded with modules for relaying to HTTP (ESC8), MSSQL and LDAP while still receiv...

Fri Mar 20 2026

Metasploit Wrap-Up 03/20/2026

♫ I Just Called ♫ To Say ♫ 7f45 4c46 0201 0100 0000 0000 0000 0000 0300 3e00 0100♫This release contains 2 new exploit modules, 2 enhancements, and 7 bug fixes. Community contributor Chocapikk submitted both exploit modules th...

View More Metasploit Blog Posts