CVE-2026-7373 - Vulnerability Details

- Metasploit Pro on Windows: Local Privilege Escalation via OpenSSL Configuration File Loading

Description

Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the metasploitPostgreSQL service the subsequent postgres.exe service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access.

Published: 2026-05-15

Score: 8.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Rapid7 Metasploit Pro is vulnerable to a local privilege escalation that allows an unprivileged Windows user to gain SYSTEM level control. The vulnerability stems from the metasploitPostgreSQL service loading an OpenSSL configuration file from a directory that is writable by standard users. By planting a crafted openssl.cnf file, the attacker tricks the high‑privilege service into executing arbitrary commands, effectively bypassing security controls and achieving full host compromise.

Affected Systems

All versions of Rapid7 Metasploit Pro deployed on Windows hosts that have not been updated to the latest release are affected. The flaw involves the metasploitPostgreSQL service bundled with Metasploit Pro and does not extend beyond the supported operating systems specified in Rapid7’s documentation.

Risk and Exploitability

The CVSS base score of 8.5 indicates a high severity with local execution and privilege escalation. EPSS is not available so exploitation probability is unclear, the vulnerability requires only local user write access to a specific directory. Since the flaw is not listed in the CISA KEV catalog, there is no known widespread exploitation, yet the local nature of the attack enables an attacker with basic file write permissions to pivot to SYSTEM level. The attack vector is inferred to be local, requiring authenticated or local access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Rapid7

Metasploit Pro

unaffected

Version	Status	Constraints
`5.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Rapid7

Metasploit

89%

Version	Status	Scheme	Platform
`5.0.0`	affected	semver	['windows']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Rapid7 Metasploit Pro to the latest version to apply the vendor patch
Remove any crafted openssl.cnf files from the writable directory used by metasploitPostgreSQL
Restrict write permissions on that directory so that only SYSTEM accounts can modify its contents
Monitor logs for unauthorized creation of openssl.cnf files as a temporary measure

Generated by OpenCVE AI on May 15, 2026 at 04:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://docs.rapid7.com/insight/metasploit-pro-release-notes/

History

Fri, 15 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rapid7 Rapid7 metasploit
Vendors & Products		Rapid7 Rapid7 metasploit

Fri, 15 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the metasploitPostgreSQL service the subsequent postgres.exe service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access.
Title		Metasploit Pro on Windows: Local Privilege Escalation via OpenSSL Configuration File Loading
Weaknesses		CWE-284 CWE-427 CWE-829
References		https://docs.rapid7.com/insight/metasploit-pro-release-notes/
Metrics		cvssV4_0 `{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:P'}`

Subscriptions

Rapid7 Metasploit

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2026-05-15T02:06:21.328Z

Updated: 2026-05-15T13:24:33.845Z

Reserved: 2026-04-28T23:54:36.962Z

Link: CVE-2026-7373

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-15T03:16:23.270

Modified: 2026-05-15T14:11:57.190

Link: CVE-2026-7373

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T11:15:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object