CVE-2017-5235 Rapid7 CVE debrief

Who should care

Organizations and individuals who download, distribute, or install Rapid7 Metasploit Pro installers should care, especially where installers may be run from writable or untrusted directories. Endpoint and application deployment teams should also review whether installer staging processes could expose users to DLL search-order risks.

Technical summary

The weakness is classified as CWE-426 (Untrusted Search Path). In the described scenario, the installer may load a DLL from the current working directory rather than a trusted location, allowing a locally placed malicious library to be loaded during installation. The NVD record lists the vulnerable Metasploit product family and indicates affected versions up to a fixed release boundary, while the Rapid7 advisory provides mitigation context. The available corpus shows a version-boundary inconsistency between the CVE description and the NVD CPE entry, so version applicability should be verified against vendor guidance before making deployment decisions.

Defensive priority

High for any environment that still distributes or runs affected installers. The risk is most relevant during software installation on Windows systems where the working directory can be influenced or staged content is not trusted.

Recommended defensive actions

• Verify whether any Metasploit Pro installers in use are older than the fixed Rapid7 release referenced in the vendor advisory and replace them with the corrected version.
• Store installers in trusted, access-controlled directories and avoid running them from writable or user-controlled locations.
• Review software deployment workflows to ensure installers are launched from clean staging paths with restricted write permissions.
• If you manage endpoints, block or alert on execution of outdated installer packages and validate hashes or package provenance before distribution.
• Consult the Rapid7 advisory and the NVD record for the most current vendor guidance and applicability details.

Evidence notes

Evidence is drawn from the CVE record and NVD metadata supplied in the source corpus. The CVE description states that Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 can load a malicious DLL from the current working directory. The NVD metadata classifies the weakness as CWE-426 and assigns CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The source corpus also includes a Rapid7 vendor advisory reference and a SecurityFocus BID reference. The NVD CPE version boundary shown in the corpus (4.13.0-2017012501) does not exactly match the prose description; this should be treated as a documentation inconsistency in the supplied sources, not resolved as fact here.

Official resources