CVE-2026-7373 – Metasploit Pro on Windows: Local Privilege Escalation via OpenSSL Configuration File Loading

CVE ID :CVE-2026-7373

Published : May 15, 2026, 3:16 a.m. | 1 hour, 41 minutes ago

Description :Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the metasploitPostgreSQL service the subsequent postgres.exe service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s SYSTEM level access.

Severity: 8.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…