No bad luck here: Friday the 13th brings new modules and a Metasploit Pro milestone
This week’s Metasploit Framework release delivers three new modules across reconnaissance, evasion, and exploitation: LeakIX-powered discovery for exposed services and leaked data, a Linux x64 RC4 payload packer for more flexible evasive delivery, and an unauthenticated RCE module for SPIP Saisies (CVE-2025-71243). Alongside those additions, we shipped practical quality-of-life improvements including a smaller configurable bind_netcat payload path, automatic WordPress service reporting in the WordPress mixin, and a fix for Base64Decoder defaults in shell payload workflows.
Finally, we’re also excited to share the new Metasploit Pro 5.0.0 release with an updated UI and SSO support amongst other changes, check out the announcement here: Announcing Metasploit Pro 5: Penetration Testing, Evolving.
New module content (3)
LeakIX Search
Authors: LeakIX [email protected] and Valentin Lobstein [email protected]
Type: Auxiliary
Pull request: #21002 contributed by Chocapikk
Path: gather/leakix_search
Description: Adds a new module auxiliary/gather/leakix_search, a new module for LeakIX API - a search engine focused on indexing internet-exposed services and leaked credentials/databases.
Linux RC4 Encrypted Payload Generator
Author: Massimo Bertocchi
Type: Evasion
Pull request: #20966 contributed by litemars
Path: linux/x64/rc4_packer
Description: Adds a new module evasion/linux/x64/rc4_packer packer that encrypts the generated payload with RC4, prepends an optional sleep-based delay (nanosleep), and decrypts/executes the payload at runtime via a compact precompiled stub.
SPIP Saisies Plugin Unauthenticated RCE
Authors: OpenStudio and Valentin Lobstein [email protected]
Type: Exploit
Pull request: #21001 contributed by Chocapikk
Path: multi/http/spip_saisies_rce
AttackerKB reference: CVE-2025-71243
Description: This adds a new module for CVE-2025-71243, an unauthenticated PHP code-injection vulnerability in the SPIP Saisies plugin. The injection takes place through _anciennes_valeurs, which allows an attacker to inject a PHP payload.
Enhancements and features (2)
- #20885 from dledda-r7 - Updates the bind_netcat payload to allow it to be smaller by selecting either default or BSD-style netcat command syntax. Previously, the payload ran both command syntaxes combined by an OR operator so wherever it was executed, the payload worked. The default behavior remains to run both, but in the event a user needs a significantly shorter payload, they can select a single netcat syntax and adjust the filenames.
- #20961 from Nayeraneru - This adds service reporting to Wordpress mixin. Now, when you use a Wordpress module, it will automatically report the target as Wordpress if detected.
Bugs fixed (1)
- #21088 from jbx81-1337 - This adds a default value for the Base64Decoder option to fix an issue with shell payloads using the default base64 encoder.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
