cbcvebase.
CVE-2019-5645
published 2020-09-01

CVE-2019-5645: By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
41.69%
98.5th percentile
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a resource exhaustion on the Metasploit server.

Affected

2 ranges
VendorProductVersion rangeFixed in
rapid7metasploit<= 5.0.27
rapid7metasploit_framework5.0.27 – 5.0.27

Detection & IOCsextracted from sources · hover to see the quote

versionMetasploit 5.0.20
  • Monitor for specially crafted HTTP GET requests to Metasploit HTTP/HTTPS handler listeners that contain regex-like patterns in the request path or parameters, which may be attempts to register a malicious resource handler.
  • Alert on resource exhaustion or CPU spikes on Metasploit servers coinciding with inbound HTTP connections, which may indicate a ReDoS (Regular Expression Denial of Service) attack via the HTTP handler.
  • Classify DoS impact tiers: 'Gentle', 'Soft', and 'Hard' DoS — monitor for progressive degradation of Metasploit HTTP handler session acceptance as an indicator of exploitation.
  • ·The exploit module targets the Metasploit HTTP(S) handler directly; only Metasploit instances with an active HTTP/HTTPS listener (e.g., multi/handler with a stager using HTTP/HTTPS) are vulnerable to this attack vector.
  • ·Confirmed affected version is Metasploit 5.0.20; scope of affected versions beyond this test target should be verified against Rapid7 advisories.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.