Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s SYSTEM level access.
AnalysisAI
Local privilege escalation in Rapid7 Insight Agent (versions > 4.1.0.2) on Windows allows unprivileged users to execute arbitrary code as SYSTEM via OpenSSL configuration file planting. The agent service loads openssl.cnf from a non-existent directory writable by standard users, enabling full host compromise without authentication. CVSS 8.5 with proof-of-concept exploit code available (E:P). EPSS data not provided; not currently listed in CISA KEV.
Technical ContextAI
This vulnerability exploits a classic DLL search order hijacking pattern applied to configuration files. The Rapid7 Insight Agent service runs with SYSTEM privileges and uses OpenSSL libraries. On startup, the service attempts to load an OpenSSL configuration file (openssl.cnf) from a directory path that does not exist by default but falls within user-writable filesystem locations (likely C:\Users\[username]\ or similar paths where standard users have write permissions). OpenSSL allows configuration files to specify custom cryptographic engines and initialization commands. By creating the missing directory structure and planting a malicious openssl.cnf containing engine loading directives or command execution hooks, an attacker can force the high-privilege service to execute arbitrary code during its initialization phase. This is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) because the privileged process trusts configuration data from an attacker-controlled location. The affected component is specifically the Rapid7 Insight Agent for Windows, which provides endpoint visibility and management for Rapid7's cloud platform.
RemediationAI
Upgrade Rapid7 Insight Agent to version 4.1.0.2 or earlier if possible, or apply the patched version released in April 2026 per the vendor advisory at https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes. The exact fixed version number is not specified in available data but should be confirmed from the release notes. As an interim workaround until patching is complete, restrict local user access to systems running the agent to trusted administrators only, though this may not be operationally feasible in many environments. Organizations can also implement filesystem access controls to deny standard users write permissions to the specific directory path where the agent attempts to load openssl.cnf (exact path should be obtained from Rapid7 support), though this may cause compatibility issues if the agent expects that path to be accessible. Monitor for suspicious openssl.cnf file creation in user-writable directories using EDR or file integrity monitoring tools as a detective control, though prevention through patching is strongly preferred.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23376
GHSA-6rgm-mxx7-qxmc