Cyber Resilience

CVE-2026-7373

HighLPE

Published: 15 May 2026

Published
15 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 6.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7373 is a high-severity Improper Access Control (CWE-284) vulnerability in Rapid7 Metasploit Pro (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the metasploitPostgreSQL service would start the postgres.exe child process which would in turn load…

more

an OpenSSL configuration file from a static location. This static location would be writable by a pre-existing "vagrant" user, if they already existed on the system. Metasploit does not create local accounts, an Administrator would need to create it. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits the unprivileged vagrant user to bypass security controls and achieve a full host compromise under the agent's SYSTEM level access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Why these techniques?

Local privilege escalation via uncontrolled search path for OpenSSL config file (CWE-427) directly maps to exploitation for priv esc and path interception hijack.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Rapid7
Metasploit Pro
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-829

This control establishes and enforces policies that restrict which users can install software and what software is permitted.

addresses: CWE-284 CWE-829

Approving, controlling, and monitoring maintenance tool use directly enforces authorization and access restrictions over privileged maintenance functions.

addresses: CWE-284 CWE-829

This control enforces ownership-based restrictions on portable storage device use, directly implementing access control over media insertion into organizational systems.

addresses: CWE-284 CWE-829

Implements authorization checks and policies that prevent unauthorized software installation.

addresses: CWE-284 CWE-829

Requiring external providers to implement and be monitored against organizational access-control requirements directly reduces the likelihood of improper access control across trust boundaries.

addresses: CWE-829 CWE-284

The control directly mandates assessment and mitigation of risks from external suppliers, reducing inclusion of functionality from untrusted control spheres.

addresses: CWE-284

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

addresses: CWE-284

Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.

References