cbcvebase.
CVE-2020-7350
published 2020-04-22

CVE-2020-7350: Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted…

PriorityP348high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.88%
91.0th percentile
Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer's hostname or service name. An attacker can create a specially-crafted hostname or service name to be imported by Metasploit from a variety of sources and trigger a command injection on the operator's terminal. Note, only the Metasploit Framework and products that expose the plugin system is susceptible to this issue -- notably, this does not include Rapid7 Metasploit Pro. Also note, this vulnerability cannot be triggered through a normal scan operation -- the attacker would have to supply a file that is processed with the db_import command.

Affected

2 ranges
VendorProductVersion rangeFixed in
rapid7metasploit< 5.0.855.0.85
rapid7metasploit_framework>= 5.0.85 < 5.0.855.0.85

Detection & IOCsextracted from sources · hover to see the quote

versionMetasploit Framework < 5.0.85
  • Monitor for crafted import files (e.g., XML/Nexpose/Nessus exports) containing malicious hostnames or service names with shell metacharacters, processed via the Metasploit `db_import` command.
  • Inspect hostnames and service names ingested by Metasploit's libnotify plugin for OS command injection payloads (shell metacharacters, backticks, $() constructs, semicolons, etc.).
  • Alert on Metasploit Framework versions 5.0.79 and earlier running the libnotify plugin, as these are confirmed vulnerable.
  • Watch for unexpected child processes spawned from the Metasploit operator terminal during or after a `db_import` operation, which may indicate successful command injection via the libnotify plugin.
  • ·Only Metasploit Framework and products exposing the plugin system are affected; Rapid7 Metasploit Pro is NOT vulnerable.
  • ·The vulnerability is only exploitable via the `db_import` command with a specially crafted file; normal scan operations cannot trigger it.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.