ARM64 Windows Payload
This latest metasploit-framework release marks a significant milestone, introducing the inaugural payload specifically designed for Windows ARM64 architecture: windows/aarch64/exec. This addition greatly expands the framework’s capabilities, enabling penetration testers and security researchers to develop and deploy exploits against the growing number of Windows devices powered by ARM processors. We extend our sincere gratitude to Alexander “xaitax” Hagenah for his exceptional contributions. His efforts were instrumental in developing and integrating new payload features, significantly enhancing the adaptability of our framework.
PandoraFMS Authenticated RCE
Rapid7 has recently unveiled a new exploit module targeting PandoraFMS, a widely used monitoring solution. This critical vulnerability, discovered by Rapid7’s security researcher, Martin Šutovský, allows for authenticated Remote Code Execution (RCE) on a target system. The exploit specifically leverages a weakness within PandoraFMS’s Netflow plugin, making any installation with this plugin enabled and accessible to an authenticated attacker vulnerable.
New module content (3)
GraphQL Introspection Scanner
Author: sjanusz-r7 Type: Auxiliary Pull request: #20216 contributed by sjanusz-r7 Path: scanner/http/graphql_introspection_scanner
Description: This adds a GraphQL Introspection Scanner module. This module can be used to query GraphQL endpoints to see if introspection is enabled. Introspection allows the whole GraphQL schema to be queried, which can give Metasploit users insight into which objects are in the schema, their descriptions, types, and if they are deprecated. This can be used to query for information that should not be accessible, as such, we register it as a vulnerability.
PandoraFMS Netflow Authenticated Remote Code Execution
Author: msutovsky-r7 Type: Exploit Pull request: #20356 contributed by msutovsky-r7 Path: linux/http/pandora_fms_auth_netflow_rce AttackerKB reference: CVE-2025-5306
Description: Adds a new exploit module for CVE-2025-5306 – code injection vulnerability in PandoraFMS. For successful exploitation, this module requires Netflow functionality to be enabled in Pandora settings and the Netflow binaries to be present on the target system, as it leverages this feature.. Also, the module requires valid admin credentials.
Windows AArch64 Command Execution
Authors: Alexander “xaitax” Hagenah and alanfoster Type: Payload (Single) Pull request: #20357 contributed by xaitax Path: windows/aarch64/exec
Description: Adds windows/aarch64/exec payload allowing users to execute a command on aarch64 versions of Windows.
Bugs fixed (3)
- #20359 from xaitax – This fixes payload reloading command in Metasploit console. Previously, reload command didn’t take into account the difference between module and payload object and failed when trying to access the loader object. This fixes the issue by adding manual payload reloading.
- #20388 from jheysel-r7 – Fixes a regression in the UPDATE action in the ad_cs_cert_template module.
- #20391 from zeroSteiner – Fixes a crash when running the auxiliary/scanner/ntp/timeroast module.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro