CVE-2026-7373
Published: 15 May 2026
Summary
CVE-2026-7373 is a high-severity Improper Access Control (CWE-284) vulnerability in Rapid7 Metasploit Pro (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30498
Vulnerability details
Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the metasploitPostgreSQL service would start the postgres.exe child process which would in turn load…
more
an OpenSSL configuration file from a static location. This static location would be writable by a pre-existing "vagrant" user, if they already existed on the system. Metasploit does not create local accounts, an Administrator would need to create it. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits the unprivileged vagrant user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local privilege escalation via uncontrolled search path for OpenSSL config file (CWE-427) directly maps to exploitation for priv esc and path interception hijack.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control establishes and enforces policies that restrict which users can install software and what software is permitted.
Approving, controlling, and monitoring maintenance tool use directly enforces authorization and access restrictions over privileged maintenance functions.
This control enforces ownership-based restrictions on portable storage device use, directly implementing access control over media insertion into organizational systems.
Implements authorization checks and policies that prevent unauthorized software installation.
Requiring external providers to implement and be monitored against organizational access-control requirements directly reduces the likelihood of improper access control across trust boundaries.
The control directly mandates assessment and mitigation of risks from external suppliers, reducing inclusion of functionality from untrusted control spheres.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.