Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the metasploitPostgreSQL service the subsequent postgres.exe service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access.
AnalysisAI
Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.
Technical ContextAI
This vulnerability exploits a DLL search order hijacking variant through configuration file loading. The metasploitPostgreSQL service (which manages the embedded PostgreSQL database for Metasploit Pro) spawns postgres.exe under SYSTEM context. During initialization, the OpenSSL library attempts to load openssl.cnf from a path that does not exist but resides in a location where Windows standard users have write permissions (likely %PROGRAMDATA% or similar). Per CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), the high-privilege process trusts content from an attacker-controllable location. By crafting an openssl.cnf with malicious directives (such as engine loading commands pointing to attacker DLLs or external scripts), the attacker converts service startup into arbitrary code execution. This affects Metasploit Pro installations on Windows where the PostgreSQL service component is deployed with default configurations. CPE identifier cpe:2.3:a:rapid7:metasploit_pro confirms the affected product namespace.
RemediationAI
Upgrade to the patched version of Metasploit Pro specified in Rapid7's security advisory at https://docs.rapid7.com/insight/metasploit-pro-release-notes/. The fix likely relocates OpenSSL configuration loading to a SYSTEM-only writable directory or explicitly specifies absolute paths with proper ACL verification. Until patching, implement defense-in-depth compensating controls: (1) Remove standard user write permissions from any directory in the OpenSSL configuration search path (use icacls or File Explorer security settings to set SYSTEM and Administrators-only write access on directories like C:\ProgramData\Rapid7 and subfolders-verify exact paths from process monitoring tools like Process Monitor). Side effect: may require administrative privileges for legitimate Metasploit Pro updates. (2) Restrict local logon rights to the Windows host running Metasploit Pro to only trusted administrators via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on locally). Side effect: breaks shared workstation models. (3) Deploy application whitelisting (AppLocker or Windows Defender Application Control) to prevent execution of unauthorized DLLs/executables from user-writable locations. Side effect: requires careful policy tuning to avoid blocking legitimate Metasploit Pro operations. Validate post-patch by confirming postgres.exe no longer loads configuration from user-writable paths using Sysinternals Process Monitor with file system activity filtering.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30498
GHSA-q6qj-wmmg-cc85