Scan free
LOWCVE-2019-5642CVSS 3.3

CVE-2019-5642: Information Disclosure in Metasploit Pro

Platform

other

Component

metasploit-pro

Fixed in

4.16.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2019-5642 describes an information disclosure vulnerability affecting Rapid7 Metasploit Pro versions up to 4.16.0-2019081901. This vulnerability stems from the insecure storage of the server.key file, which is written to the file system with world-readable permissions. Exploitation could allow unauthorized access to sensitive communications intended for the Metasploit Pro web interface.

Impact and Attack Scenarios

The primary impact of CVE-2019-5642 is the potential for unauthorized interception of communications between the Metasploit Pro client and server. An attacker with access to the same system where Metasploit Pro is installed could read the server.key file and use it to decrypt and view sensitive data transmitted over the web interface. This could include credentials, session tokens, and other confidential information. While the CVSS score is LOW, the potential for data exposure warrants prompt remediation, especially in environments where Metasploit Pro is used to manage sensitive systems or conduct penetration testing activities.

Exploitation Context

CVE-2019-5642 was publicly disclosed on November 6, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely released. The vulnerability is not listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureLow

EPSS

0.10% (26% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N3.3LOWAttack VectorLocalHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Local — attacker needs a local shell or interactive session on the system.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentmetasploit-pro
VendorRapid7
Affected rangeFixed in
unspecified – 4.16.0-20190819014.16.1

Weakness Classification (CWE)

CWE-732

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2019-5642 is to upgrade Metasploit Pro to version 4.16.0-2019091001 or later, which addresses the insecure file permissions. If an immediate upgrade is not feasible, consider restricting access to the system where Metasploit Pro is installed to only authorized personnel. Additionally, review file system permissions on existing Metasploit Pro installations to ensure the server.key file is not world-readable. After upgrading, verify the fix by confirming the server.key file has restricted permissions (e.g., only readable by the Metasploit Pro user).

How to fix

Actualice Metasploit Pro a la versión 4.16.0-2019091001 o posterior. Esto corregirá los permisos del archivo server.key y evitará el acceso no autorizado a las comunicaciones web.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2019-5642 — Information Disclosure in Metasploit Pro?

CVE-2019-5642 is a LOW severity vulnerability in Metasploit Pro where the server.key file is stored with world-readable permissions, potentially allowing unauthorized access to communications.

Am I affected by CVE-2019-5642 in Metasploit Pro?

You are affected if you are using Metasploit Pro versions 4.16.0-2019081901 or earlier. Upgrade to mitigate the risk.

How do I fix CVE-2019-5642 in Metasploit Pro?

Upgrade Metasploit Pro to version 4.16.0-2019091001 or later. Also, review file system permissions to ensure the server.key file is not world-readable.

Is CVE-2019-5642 being actively exploited?

There is no current evidence of active exploitation campaigns targeting CVE-2019-5642.

Where can I find the official Rapid7 advisory for CVE-2019-5642?

Refer to the Rapid7 security advisory for details: https://www.rapid7.com/blog/post/2019/11/06/metasploit-pro-security-update/

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs