CVE-2026-7373
published 2026-05-15CVE-2026-7373: Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the…
PriorityP346high8.5CVSS 4.0
AVLACLATNPRNUINVCHVIHVALSCHSIHSAHEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.17%
6.7th percentile
Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the metasploitPostgreSQL service would start the postgres.exe child process which would in turn load an OpenSSL configuration file from a static location. This static location would be writable by a pre-existing "vagrant" user, if they already existed on the system. Metasploit does not create local accounts, an Administrator would need to create it. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits the unprivileged vagrant user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rapid7 | metasploit_pro | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Rapid7 Metasploit Pro 5.0.0 metasploitPostgreSQL Service postgres.exe inclusion of functionality from untrusted control sphere
vuldb·2026-05-15·CVSS 8.5
CVE-2026-7373 [HIGH] Rapid7 Metasploit Pro 5.0.0 metasploitPostgreSQL Service postgres.exe inclusion of functionality from untrusted control sphere
A vulnerability, which was classified as critical, has been found in Rapid7 Metasploit Pro 5.0.0. This affects an unknown function of the file postgres.exe of the component metasploitPostgreSQL Service. This manipulation causes inclusion of functionality from untrusted control sphere.
This vulnerability is handled as CVE-2026-7373. It is possible to launch the attack on the local host. There is not any exploit available.
GHSA
GHSA-q6qj-wmmg-cc85: Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host
ghsa_unreviewed·2026-05-15
CVE-2026-7373 [HIGH] CWE-284 GHSA-q6qj-wmmg-cc85: Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host
Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the metasploitPostgreSQL service the subsequent postgres.exe service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-15
Published