Local Privilege Escalation Vulnerability in Rapid7 Metasploit Pro
CVE-2026-7373

8.5HIGH

Key Information:

Vendor: Rapid7
Status: Metasploit Pro
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-7373?

A local privilege escalation vulnerability exists in Rapid7 Metasploit Pro that allows unprivileged users to execute arbitrary commands with SYSTEM level access on Windows hosts. This issue arises due to the metasploitPostgreSQL service attempting to load an OpenSSL configuration file from a non-existent, user-writable directory. By placing a malicious openssl.cnf file in that directory, attackers can manipulate the high-privilege service to execute their commands, leading to potential full host compromises.

Affected Version(s)

Metasploit Pro Windows 5.0.0

References

https://docs.rapid7.com/insight/metasploit-pro-release-no...

release-notes

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Andrea Intilangelo

CVE-2026-7373 Data

JSON