Rapid7 Metasploit Pro 5.0.0 contains a local privilege escalation vulnerability (CVE-2026-7373) due to the metasploitPostgreSQL service loading an OpenSSL configuration file from a non-existent directory writable by standard users. By planting a malicious openssl.cnf file, an attacker can cause the postgres.exe service running with SYSTEM privileges to execute arbitrary commands. This results in an unprivileged user gaining SYSTEM level control over the Windows host. The vulnerability is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), CWE-427 (Uncontrolled Search Path Element), and CWE-284 (Improper Access Control). The CVSS 4.0 base score is 8.5 (high severity), reflecting the local attack vector but high impact on confidentiality, integrity, and availability. No official fix or patch has been disclosed, and no known exploits are reported in the wild.

An unprivileged local user can exploit this vulnerability to execute arbitrary commands with SYSTEM privileges on the affected Windows host, effectively gaining full control over the system. This bypasses normal security controls and can lead to complete host compromise. The impact affects confidentiality, integrity, and availability of the system. There are no reports of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch has been published by Rapid7, users should monitor Rapid7 advisories for updates. Until a patch is available, restricting local user access to the affected system and ensuring that the directory where the OpenSSL configuration file is loaded is not writable by unprivileged users may reduce risk. Avoid running Metasploit Pro services with unnecessary privileges where possible.