Skip to main content
CVE Vulnerability Database

CVE-2026-7373: Metasploit Pro Privilege Escalation Flaw

CVE-2026-7373 is a local privilege escalation vulnerability in Rapid7 Metasploit Pro allowing unprivileged users to gain SYSTEM-level control on Windows. This article covers technical details, attack vectors, and mitigation.

Published:

CVE-2026-7373 Overview

CVE-2026-7373 is a local privilege escalation vulnerability in Rapid7 Metasploit Pro on Windows. The metasploitPostgreSQL service launches the postgres.exe child process, which loads an OpenSSL configuration file (openssl.cnf) from a static location. That location is writable by a pre-existing vagrant user account, when present on the host. An attacker controlling the vagrant account can plant a malicious openssl.cnf file and coerce the SYSTEM-level service into executing arbitrary commands. The flaw maps to improper access control [CWE-284] and yields full host compromise from an unprivileged context.

Critical Impact

A low-privileged vagrant user can escalate to SYSTEM on Windows hosts running affected Metasploit Pro installations by planting a crafted openssl.cnf configuration file.

Affected Products

  • Rapid7 Metasploit Pro on Windows (versions prior to the fix shipped in Rapid7 Insight Release 5.0.0 / 2026-05-13)
  • Windows hosts where a vagrant local user account has been provisioned by an administrator
  • Deployments using the bundled metasploitPostgreSQL service and bundled OpenSSL/postgres.exe components

Discovery Timeline

  • 2026-05-15 - CVE-2026-7373 published to NVD
  • 2026-05-19 - Last updated in NVD database

Technical Details for CVE-2026-7373

Vulnerability Analysis

The vulnerability resides in how the metasploitPostgreSQL Windows service initializes its database engine. On startup, the service spawns postgres.exe under the SYSTEM account. That child process reads an OpenSSL configuration file from a fixed filesystem path. The directory containing the configuration file inherits permissions that allow the vagrant local user to write to it. Because OpenSSL configuration files support directives that load engine modules and dynamic providers, a writable configuration becomes a code execution primitive against any process that consumes it.

Metasploit does not create the vagrant account. An administrator must have provisioned it previously, which is common on systems used for development, virtualization labs, or CI infrastructure. Once present, the account inherits write access to the OpenSSL configuration path and can stage payloads ahead of the next service restart or reboot.

Root Cause

The root cause is insecure directory permissions on the static location holding openssl.cnf [CWE-284]. The installer or service configuration grants write access to a non-administrative principal whose privilege level does not match the SYSTEM context of the consuming process. This violates least-privilege boundaries between the unprivileged user and the high-privilege service.

Attack Vector

An attacker authenticated as the vagrant user writes a crafted openssl.cnf into the predictable path. The file declares an OpenSSL engine or provider directive referencing an attacker-controlled module. When the metasploitPostgreSQL service starts postgres.exe, OpenSSL parses the configuration and executes the referenced module under SYSTEM. The attacker triggers the load by waiting for a reboot, requesting a service restart, or invoking any operation that re-initializes the database engine. Refer to the Rapid7 Insight Release Notes 5.0.0 for vendor technical details.

Detection Methods for CVE-2026-7373

Indicators of Compromise

  • Presence of an openssl.cnf file in the Metasploit Pro OpenSSL configuration directory with a modification timestamp authored by a non-administrative user.
  • openssl.cnf containing unexpected engines, providers, dynamic_path, or init directives referencing user-writable DLL paths.
  • Child processes of postgres.exe running as SYSTEM that spawn cmd.exe, powershell.exe, or other interactive shells.
  • Existence of a local vagrant account on production hosts running Metasploit Pro.

Detection Strategies

  • Monitor file write events to the Metasploit OpenSSL configuration directory and alert when the writing principal is not SYSTEM or a local administrator.
  • Baseline postgres.exe process trees on Metasploit Pro hosts and flag any deviation, particularly child processes outside the database engine.
  • Audit local account inventories for the vagrant user on Windows servers that are not intended to host development tooling.

Monitoring Recommendations

  • Enable Windows Security event auditing for object access on the OpenSSL configuration directory and forward events to a centralized log platform.
  • Track service restart events for metasploitPostgreSQL and correlate them with prior file writes by non-privileged users.
  • Hunt for newly created DLLs in directories referenced by openssl.cnf engine and provider sections.

How to Mitigate CVE-2026-7373

Immediate Actions Required

  • Upgrade Metasploit Pro to the release distributed in Rapid7 Insight 5.0.0 (build 2026051301) or later.
  • Remove or disable any non-essential local vagrant accounts on hosts running Metasploit Pro.
  • Restrict NTFS permissions on the OpenSSL configuration directory so that only SYSTEM and the local Administrators group hold write access.
  • Restart the metasploitPostgreSQL service after applying permission changes to ensure the configuration is reloaded from a trusted state.

Patch Information

Rapid7 addressed the issue in the Metasploit Pro update shipped with Insight Release 5.0.0 on 2026-05-13. Review the Rapid7 Insight Release Notes 5.0.0 for the corrected component version and installation instructions. The fix removes the writable permission on the OpenSSL configuration path consumed by postgres.exe.

Workarounds

  • Manually tighten ACLs on the OpenSSL configuration directory using icacls to deny write access to interactive users including vagrant.
  • Replace the existing openssl.cnf with a hardened, read-only file owned by SYSTEM until the patch can be deployed.
  • Stop and disable the metasploitPostgreSQL service on hosts that do not require active Metasploit Pro database functionality.
bash
# Configuration example: restrict write access to the OpenSSL config directory
icacls "C:\metasploit-framework\common\ssl" /inheritance:r
icacls "C:\metasploit-framework\common\ssl" /grant:r "SYSTEM:(OI)(CI)F" "BUILTIN\Administrators:(OI)(CI)F"
icacls "C:\metasploit-framework\common\ssl" /remove "vagrant" "Users" "Authenticated Users"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.