CVE-2026-7373

216.73.217.22

· Published 15/05/2026 03:16 · Modified 15/05/2026 14:11

Labels: CVE-2026-7373 2026-05-15 CVE-2026-7373 CWE-284 [email protected]

Essential information

Published: 15/05/2026 03:16
Modified: 15/05/2026 14:11
Author: —
Creator: —
CVSS: 8.5 HIGH (v3) 8.5 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the metasploitPostgreSQL service the subsequent postgres.exe service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
rapid7 / metasploit pro	`cpe:2.3:a:rapid7:metasploit_pro::::::::`