PatchSiren cyber security CVE debrief

CVE-2017-5228 Rapid7 CVE debrief

CVE-2017-5228 is a directory traversal flaw in Rapid7 Metasploit's Meterpreter stdapi Dir.download() function. Per the CVE description, an attacker using a specially crafted Meterpreter build can write to an arbitrary directory on the Metasploit console with the permissions of the running Metasploit instance. The issue was published on 2017-03-02 and carries a HIGH severity rating. Defensive focus should be on verifying the exact installed Metasploit build and applying the vendor-fixed release path noted in the source material.

Vendor: Rapid7
Product: CVE-2017-5228
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Teams operating Rapid7 Metasploit consoles, red-team platforms, security labs, and any environment that accepts Meterpreter artifacts or uses Metasploit in multi-user or automated workflows. Administrators should also care if console integrity, plugin directories, or local file permissions are security boundaries.

Technical summary

The weakness is classified as CWE-22 (path traversal). The vulnerable behavior is in Meterpreter's stdapi Dir.download() implementation, where crafted input can traverse directories and cause writes outside the intended location. NVD records CVSS 3.0 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L, indicating that exploitation is network-reachable but requires high attack complexity and user interaction. The CVE description states that a specially crafted Meterpreter build is needed, and the impact is arbitrary directory write within the privileges of the Metasploit process.

Defensive priority

High. Although the attack requires user interaction and a specially crafted Meterpreter build, the impact includes arbitrary file writes under the Metasploit process account, which can threaten console integrity and adjacent tooling.

Recommended defensive actions

Confirm the installed Metasploit version and compare it against Rapid7's advisory before remediation planning.
Upgrade to the fixed Rapid7 Metasploit release referenced in the CVE description (4.13.0-2017020701) or a later vendor-confirmed non-vulnerable build.
Restrict who can introduce or load Meterpreter artifacts into Metasploit workflows.
Review file-system permissions for the Metasploit process so a compromise has the least possible write scope.
Monitor for unexpected directory creation, file replacement, or modification under Metasploit-managed paths.
If you cannot upgrade immediately, isolate Metasploit instances from sensitive file paths and from multi-user environments where untrusted inputs may be introduced.

Evidence notes

Evidence is limited to the supplied CVE record, the NVD source item, and the referenced official vendor and CVE links. The source corpus contains a version-scoping inconsistency: the CVE description says the issue exists prior to 4.13.0-2017020701, while the NVD CPE data marks Metasploit vulnerable through 4.13.19. Because of that discrepancy, version-specific remediation should be validated against the Rapid7 advisory and the official NVD detail page before rollout. No exploitation steps or unsupported impact claims are included.

Official resources

CVE-2017-5228 CVE record
CVE.org
CVE-2017-5228 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory

Publicly disclosed on 2017-03-02 per the CVE record; this debrief uses that published date for timing context.