Hard to believe it’s that time again, and that Metasploit Framework will see the dawn of another Annual Wrap-Up (and a New Year). All of the metrics and modules you see here would in large part not be possible without the dedicated community members who care about the Framework and its mission on all the days of the year. It is their hard work and dedication that makes it look like magic, and sometimes, it feels like it too. A heartfelt thank you to all of our researchers and contributors, you’re what makes Metasploit Framework so resilient.
This year brought its share of notable vulnerabilities, substantial framework improvements, and continued evolution of the project. Whether you submitted a module, filed an issue, or helped triage a bug, your contributions have kept Metasploit relevant and powerful. So without further ado, let’s dive into the highlights from 2025.
Persistence Overhaul
One of the year’s significant infrastructure improvements came from community contributor h00die, who spearheaded a massive refactor of Metasploit’s persistence modules. The project, tracked in issue #20374, involved reorganizing dozens of persistence modules from their scattered locations across the framework into a dedicated persistence directory under exploits. This wasn’t just housekeeping—h00die created a standardized persistence mixin that brought consistency to how modules handle installation, cleanup, and option handling. The refactor touched over 30 modules spanning Linux, Windows, OSX, and multi-platform techniques, modernizing each one with proper check methods, MITRE ATT&CK references, and standardized options like WritableDir. The work also laid the groundwork for a persistence suggester module that can automatically recommend viable persistence techniques based on session characteristics.
The sheer scope of this effort can’t be overstated. Breaking the work into manageable chunks, h00die systematically converted modules from the old post-exploitation style to proper exploit modules with the new persistence mixin, handling everything from cron jobs and SSH keys to Windows registry modifications and service installations. The standardization means that all persistence modules now share common behaviors, produce cleanup scripts in a consistent format, and integrate cleanly with the rest of the framework. It’s the kind of unglamorous but essential work that improves the entire framework’s usability and maintainability, and we’re grateful to h00die for taking on such an ambitious project and seeing it through.
AD CS Vulnerable Certificate Template Detection and Exploitation Additions
This year, Metasploit expanded its Active Directory Certificate Services (AD CS) coverage by adding detection and exploitation support for certificate templates vulnerable to ESC9, ESC10, and ESC16. Checks for these misconfigured certificate templates were integrated into the existing ldap_esc_vulnerable_template module, allowing users to easily identify misconfigured templates during assessments.
To complement this detection capability, we introduced the new esc_update_ldap_object module, which enables reliable exploitation of these vulnerable templates to escalate privileges. ESC9, ESC10, and ESC16 share a common pattern: each requires control of a user account with write privileges over another user that is permitted to enroll in the vulnerable template. While exploiting these techniques with other tools typically involves multiple manual and error-prone steps, the new module streamlines the entire workflow. Users configure the required datastore options, run the module, and receive a certificate that can be used to escalate privileges within the domain.
As part of this effort, we also introduced the ldap_object_attribute module, which provides standard CRUD operations for manipulating LDAP objects in Active Directory. This module — along with existing functionality such as shadow_credentials and get_ticket — is used internally by esc_update_ldap_object to abstract away low-level LDAP interactions and simplify exploitation.
This work included comprehensive documentation covering the configuration of templates vulnerable to ESC9, ESC10, and ESC16, as well as detailed instructions for exploiting each technique using the new module.
Active Directory Improvements
Related to our AD CS improvements, came new low-level functionality for interacting with Active Directory (AD) Domain Controllers over LDAP. Over the past couple of years, Metasploit has seen multiple modules added that facilitate AD attack workflows including Shadow Credentials, RBCD, Unconstrained Delegation, etc. Like the AD CS attacks, many of these techniques are reliant on access control to some degree. Over the summer, Metasploit introduced new functionality to facilitate checking for these types of attacks. This new library provides Active Directory specific functionality, most notably, the ability to remotely evaluate security descriptors to determine whether a particular user or group has a specific access right. This has already been incorporated into the following modules to either enable or improve the existing detection capabilities.
- auxiliary/admin/ldap/shadow_credentials
- auxiliary/admin/ldap/rbcd
- auxiliary/admin/ldap/ad_cs_cert_template
- auxiliary/gather/ldap_esc_vulnerable_cert_finder
For module authors, the library provides a composable API for determining if an object grants a particular permission to an optional SID. The SID can be either a user or group, and when omitted is automatically set to the authenticating user, i.e. to check if the current connection has the permissions.
For example, check if the object grants the read and write property permissions with:
adds_obj_grants_permissions?(@ldap, obj, SecurityDescriptorMatcher::Allow.all(%i[RP WP]))
Code Cleanup At Scale
Beyond new features and modules, 2025 also saw substantial code quality improvements thanks to community contributor bcoles, who took on the often-thankless task of resolving RuboCop violations across the codebase. Throughout the year, bcoles systematically worked through older modules, cleaning up style inconsistencies, fixing syntax violations, and converting outdated property types to proper boolean values in auxiliary scanners and exploit modules. This kind of incremental maintenance work—fixing redundant parentheses here, resolving style violations there—doesn’t make for flashy headlines, but it keeps the codebase maintainable and makes life easier for everyone working in the framework. Code quality matters, and we’re grateful to bcoles for putting in the work to keep Metasploit’s technical debt in check.
Payload Improvements
It may be a fun fact, or perhaps tribal knowledge that an “exploit” to Metasploit is a module that delivers a payload. All the great exploit content this year would be nothing without corresponding payloads to deliver and we make sure that those get plenty of our time as well. The following changes in particular are highly impactful and may have gone unnoticed while the flashier exploits received all the attention.
Windows Meterpreter Improvements
The biggest updates for the Windows Meterpreter revolve around two major improvements: the first is the upgrade to ReflectiveDLLInjection, made by Alex (xaitax) Hagenah, for which we express our gratitude for improving this area of the Metasploit Framework that requires a high level of attention to detail. This update introduces full, production-ready ARM64 support and a comprehensive architectural modernization of the whole library. These changes open the door to future support for a native ARM64 Meterpreter on Windows. Additionally, Metasploit split the standard API extension for Windows this year. This was actually the design used in the original Meterpreter implementation and we’ve reconsidered the monolithic approach. This improvement is one of the multiple steps we have in the pipeline to improve the evasion capabilities for our Windows Meterpreter. The standard API library now allows the user to load only specific subcomponents of the extension (for example, the component for network or file-system interaction), reducing the memory footprint for memory scanners. To leverage this new functionality, set AutoLoadStdapi to False, and then load one or more extensions manually, e.g. load stdapi_fs. To maintain backwards compatibility, a single stdapi extension is also still available and can be loaded with load stdapi.
Fetch Payload Improvements
The first milestone was the introduction of fileless execution for Linux fetch payloads, enabling payloads to run directly from memory using anonymous files. This advancement greatly enhances operational stealth by minimizing forensic traces and avoiding file-based detection, with careful attention to safe, opt-in behavior and collaborative code refinement. Following this, the FETCH_PIPE option streamlined payload deployment into a single, compact command. This improvement enhanced both usability and evasion, while also supporting larger, more complex command payloads (such as fileless execution) to be executed even with reduced command size. Additionally, fetch payload support has expanded to seven additional CPU architectures: aarch64, armbe, armle, mipsbe, mipsle, ppc, and ppc64le. This significantly broadens Metasploit’s reach across embedded and legacy systems. Both features are thoroughly tested and future-proof, making the framework more versatile and powerful.
New Architectures Basic Support
This year, we have also updated the framework to support new basic payloads. We have introduced the exec payload for Windows ARM64 (provided by Alex (xaitax) Hagenah), reverse shell for RISC-V 32 and 64 bit, and Loongarch64 (both provided by bcoles).
COMING SOON
As much as we try, everything doesn’t always fit into one year. With that in mind, we wanted to highlight some upcoming features that we’re particularly excited to complete in the coming months.
Malleable C2
The malleable c2 will allow the user to specify with a .profile scribing how the HTTP requests between meterpreter and metasploit-framework should look like, allowing metasploit to hide the distinctive traffic generated by the session communication.
Direct Syscall in Metsrv
We have updated the Meterpreter core (metsrv) to remove common static signatures, such as specific strings and function imports, making it harder to detect.
PoolParty for 32-bit systems
Additional work to port the poolparty injection on native 32 bit system, Huge thanks to xHector1337 for taking over the research and extension of the code injection for the new architecture.
SCCM Modules
This year, Metasploit added two modules for targeting SCCM instances and recovering the Network Access Account credentials. These modules differ in how they perform the authentication. The first, auxiliary/admin/sccm/get_naa_credentials accepts credentials from the operator and will use them to authenticate and run the attack on demand. This pairs nicely with the auxiliary/admin/dcerpc/samr_account module when the operator can create a new machine account. However, when that’s not an option, Metasploit still has you covered with the auxiliary/server/relay/relay_get_naa_credentials variant that enables relaying NTLM authentication from an SMB server. These attack workflows were demonstrated at Black Hat and DEF CON over the summer and we anticipate they’ll remain useful in the future.
Module Highlights
- CVE-2025-9316, CVE-2025-11700 N-able N-Central XXE – N-able N-Central is a popular Remote Monitoring and Management (RMM) platform. These two vulnerabilities, when combined, enable Metasploit to read local files without authenticating. This can be used to obtain a number of sensitive backup files from the application itself, or anything else on the host system. XXE attacks are a less common vulnerability, at least in Metasploit-land but this is a fantastic example of how impactful they can be.
- CVE-2025-22457 Ivanti Connect Secure Unauthenticated RCE – Ivanti RCEs are always valuable and this module shows that memory corruption lives on in 2025. Not only is this exploit unauthenticated and reliable, it is a great example of how ROP chains can be used.
- CVE-2024-55555 Invoice Ninja RCE – This particular module leverages a PHP deserialization vulnerability within the application. While this vulnerability requires knowledge of the APP_KEY, successful exploitation could have significant financial implications. As an added bonus, this module came with a new library adding support for Laravel Framework-specific cryptography methods.
- CVE-2024-55556 InvoiceShelf RCE – Everyone loves a good pairing, and this module continues h00die-gr3y’s work on invoicing software, showing that they’re useful for receiving more than just payments.
- LDAP Password Disclosure – This module has been around for a while, but received some new features in 2025 for targeting Active Directory Domain Controllers. The first added support for LAPSv1 and v2, enabling the module to recover the local admin account on systems. Later in the year, a second improvement added support for gMSA accounts. This module also pairs nicely with the new SMB to LDAP NTLM Relay module we added this year as well.
- Microsoft SharePoint ToolPane Unauthenticated RCE (CVE-2025-53770 and CVE-2025-53771)
- Exploit module for CVE-2025-32433 (Erlang/OTP)
SMB Relay Expansion
This year, Metasploit significantly leveled up its relaying capabilities, transforming the framework’s only SMB to SMB relay capability into a powerful engine for lateral movement. Traditionally, SMB relaying was often the domain of standalone external tools, but through the dedicated work of the Metasploit team, these workflows are now seamlessly integrated into the framework
Community Stats Recap
A huge thank you from the entire Metasploit team to all 66 contributors in 2025. Your contributions and ideas are what continue to improve this tool every year. Notably, 41 of these were first-time contributors who added new code.
Here are some stats for 2025:
- Number of new modules: 139
- Number of new bug fixes: 133
- Number of new enhancements: 115
- Number of new documentations: 19
- Number of new payload enhancements: 18
Contributors in 2025 (ordered by count)
- bcoles
- h00die
- Chocapikk
- h00die-gr3y
- Takahiro-Yoko
- h4x-x0r
- smashery
- vognik (new in 2025)
- jvoisin
- xHector1337 (new in 2025)
- jmartin-tech
- mariomontecatine (new in 2025)
- blue0x1 (new in 2025)
- nakkouchtarek (new in 2025)
- molecula2788
- xaitax
- happybear-21 (new in 2025)
- e2002e
- fabpiaf (new in 2025)
- mekhalleh
- JohannesLks (new in 2025)
- BitTheByte (new in 2025)
- todb
- 00nx (new in 2025)
- DevBuiHieu (new in 2025)
- SweilemCodes (new in 2025)
- arpitjain099 (new in 2025)
- L-codes
- Zeecka (new in 2025)
- aaryan-11-x
- whotwagner
- lafried (new in 2025)
- sebaspf (new in 2025)
- hantwister (new in 2025)
- tastyrce (new in 2025)
- easymoney322 (new in 2025)
- gardnerapp
- TheBigStonk (new in 2025)
- 0xAryan (new in 2025)
- sempervictus
- szymonj99
- Mathiou04
- vultza (new in 2025)
- enty8080 (new in 2025)
- SaiSakthidar (new in 2025)
- Zedeldi (new in 2025)
- stfnw (new in 2025)
- mmacfadden (new in 2025)
- daffainfo (new in 2025)
- HamzaSahin61 (new in 2025)
- survivant (new in 2025)
- uhei
- EchoSl0w (new in 2025)
- jeffmcjunkin
- BenoitDePaoli (new in 2025)
- randomstr1ng
- 2tunnels (new in 2025)
- rodolphopivetta (new in 2025)
- RakRakGaming (new in 2025)
- Desiree05 (new in 2025)
- Wopseeion (new in 2025)
- jphamgithub (new in 2025)
- H4k1l (new in 2025)
- fishBone000 (new in 2025)
- xl4635 (new in 2025)
