Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Authenticated plugin user (PR:L) sends a crafted expression over the network (AV:N/AC:L); arbitrary write gives high integrity and low availability impact with no disclosure (C:N).
Primary rating from Vendor (rapid7).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionNVD
Arbitrary File Write vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to write attacker-controlled content to arbitrary file paths via the expression parameter.
AnalysisAI
Arbitrary file write in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated attacker supply a crafted expression parameter to write attacker-controlled content to any filesystem path the plugin process can reach. The flaw (CWE-22 path traversal) carries a CVSS 7.1 with high integrity impact and there is no public exploit identified at time of analysis, but it is dangerous because arbitrary writes can be leveraged toward code execution or configuration tampering within the SOAR plugin runtime.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires authenticated, low-privileged access to the Rapid7 InsightConnect platform (CVSS PR:L) and the ability to invoke the Sed plugin and control its 'expression' parameter - that parameter is the exact injection point used to specify the traversal/output path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) describes a network-reachable, low-complexity attack requiring low privileges and no user interaction, with high integrity impact, low availability impact, and no confidentiality impact - consistent with an arbitrary file write rather than direct data disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged authenticated access to the InsightConnect platform configures or triggers a Sed plugin action and supplies an expression parameter containing path-traversal sequences pointing outside the intended output directory. Because attack complexity is low and no user interaction is required, the plugin writes attacker-controlled content to a sensitive location (for example a script, cron, or configuration file), which can then be leveraged toward code execution. … |
| Remediation | Update the InsightConnect Sed Plugin to the latest version published on the Rapid7 extension marketplace (https://extensions.rapid7.com/extension/sed) and review the vendor advisory there for the specific patched plugin build; a precise fixed version is not stated in the available data, so confirm the corrected release directly with Rapid7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all InsightConnect deployments running the Sed Plugin; audit and document which users have access to the plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Insightconnect Sed Plugin
View allOS command injection in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated operator inject arbitrary sh
Arbitrary file read in Rapid7's InsightConnect Sed Plugin on Linux exposes sensitive host filesystem contents to authent
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39154
GHSA-9723-5cpr-v9rm