Skip to main content

Metasploit Pro EUVDEUVD-2026-30498

| CVE-2026-7373 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-05-15 rapid7 GHSA-q6qj-wmmg-cc85
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 03:32 vuln.today
CVSS changed
May 15, 2026 - 03:22 NVD
8.5 (HIGH)
CVE Published
May 15, 2026 - 02:06 nvd
HIGH 8.5

DescriptionCVE.org

Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the metasploitPostgreSQL service the subsequent postgres.exe service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access.

AnalysisAI

Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.

Technical ContextAI

This vulnerability exploits a DLL search order hijacking variant through configuration file loading. The metasploitPostgreSQL service (which manages the embedded PostgreSQL database for Metasploit Pro) spawns postgres.exe under SYSTEM context. During initialization, the OpenSSL library attempts to load openssl.cnf from a path that does not exist but resides in a location where Windows standard users have write permissions (likely %PROGRAMDATA% or similar). Per CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), the high-privilege process trusts content from an attacker-controllable location. By crafting an openssl.cnf with malicious directives (such as engine loading commands pointing to attacker DLLs or external scripts), the attacker converts service startup into arbitrary code execution. This affects Metasploit Pro installations on Windows where the PostgreSQL service component is deployed with default configurations. CPE identifier cpe:2.3:a:rapid7:metasploit_pro confirms the affected product namespace.

RemediationAI

Upgrade to the patched version of Metasploit Pro specified in Rapid7's security advisory at https://docs.rapid7.com/insight/metasploit-pro-release-notes/. The fix likely relocates OpenSSL configuration loading to a SYSTEM-only writable directory or explicitly specifies absolute paths with proper ACL verification. Until patching, implement defense-in-depth compensating controls: (1) Remove standard user write permissions from any directory in the OpenSSL configuration search path (use icacls or File Explorer security settings to set SYSTEM and Administrators-only write access on directories like C:\ProgramData\Rapid7 and subfolders-verify exact paths from process monitoring tools like Process Monitor). Side effect: may require administrative privileges for legitimate Metasploit Pro updates. (2) Restrict local logon rights to the Windows host running Metasploit Pro to only trusted administrators via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on locally). Side effect: breaks shared workstation models. (3) Deploy application whitelisting (AppLocker or Windows Defender Application Control) to prevent execution of unauthorized DLLs/executables from user-writable locations. Side effect: requires careful policy tuning to avoid blocking legitimate Metasploit Pro operations. Validate post-patch by confirming postgres.exe no longer loads configuration from user-writable paths using Sysinternals Process Monitor with file system activity filtering.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

EUVD-2026-30498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy