Rapid7 Metasploit Pro 5.0.0 contains a local privilege escalation vulnerability (CVE-2026-7373) due to insecure handling of an OpenSSL configuration file by the metasploitPostgreSQL service. The service launches a postgres.exe child process that loads the openssl.cnf file from a fixed location writable by a local user named 'vagrant'. Because Metasploit does not create this user, its presence depends on prior administrative action. An attacker with access to this 'vagrant' account can place a malicious openssl.cnf file, causing the high-privilege service to execute arbitrary commands as SYSTEM. This vulnerability is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), CWE-427 (Uncontrolled Search Path Element), and CWE-284 (Improper Access Control). The CVSS 4.0 base score is 8.5, indicating high severity. No official patch or remediation guidance is currently available from the vendor.

Successful exploitation allows a local attacker with access to the 'vagrant' user account to escalate privileges to SYSTEM level on the affected Windows host. This results in full control over the host, bypassing security controls. The vulnerability requires the presence of the 'vagrant' user, which is not created by Metasploit but must be pre-existing. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should ensure that the 'vagrant' user does not exist on systems running Metasploit Pro 5.0.0 or restrict write permissions to the OpenSSL configuration file location used by the metasploitPostgreSQL service. Avoid running the service with unnecessary privileges and monitor for unauthorized local user accounts. Follow vendor updates closely for any forthcoming patches or official mitigations.