Rapid7 Metasploit Pro is vulnerable to a local privilege escalation that lets an unprivileged Windows user acquire SYSTEM level control. The flaw arises when the metasploitPostgreSQL service starts a postgres.exe child that loads an OpenSSL configuration file from a static location. That location is writable by a pre‑existing “vagrant” user, which an administrator must have created beforehand. By planting a crafted openssl.cnf file, the attacker deceives the high‑privilege service into executing arbitrary commands, enabling bypass of security controls and full host compromise under the agent’s SYSTEM level privileges. This weakness involves improper access control (CWE‑284), improper use of a hard‑coded path (CWE‑427), and insufficient restriction of operations within a local system (CWE‑829).

All versions of Rapid7 Metasploit Pro deployed on Windows hosts that have not been updated to the latest release are affected. The flaw involves the metasploitPostgreSQL service bundled with Metasploit Pro and does not extend beyond the supported operating systems specified in Rapid7’s documentation.

The CVSS base score of 8.5 indicates a high severity with local execution and privilege escalation. EPSS score of < 1% indicates a very low but non‑zero exploitation probability, meaning that while the vulnerability is unlikely to be widely exploited, it is still a real risk. Since the flaw is not listed in the CISA KEV catalog, there is no known widespread exploitation, yet the local nature of the attack enables an attacker with basic file write permissions to pivot to SYSTEM level. The attack vector is inferred to be local, requiring authenticated or local access.