CVE-2019-5624

HIGH

Rapid7 Metasploit < 4.14.0 - Path Traversal and Arbitrary Code Execution via Zip Import Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-5624. PoCs published by VoidSec.

AI-analyzed exploit summary This PoC exploits CVE-2019-5624, a Zip Slip vulnerability in Rubyzip, leading to remote command execution in Metasploit versions < 5.0.18. It leverages path traversal in ZIP extraction to place a malicious cron job, resulting in a reverse shell.

Description

Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions.

Exploits (1)

nomisec WORKING POC 13 stars

by VoidSec · poc

https://github.com/VoidSec/CVE-2019-5624

View Code ZIP pw:eip

This PoC exploits CVE-2019-5624, a Zip Slip vulnerability in Rubyzip, leading to remote command execution in Metasploit versions < 5.0.18. It leverages path traversal in ZIP extraction to place a malicious cron job, resulting in a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Metasploit < 5.0.18

Auth required

Prerequisites: Access to Metasploit Web Interface · Ability to upload a malicious ZIP file · Network connectivity for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.004 - Unix Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Patch, Third Party Advisory x_refsource_confirm

https://github.com/rapid7/metasploit-framework/pull/11716

Release Notes, Vendor Advisory x_refsource_confirm

https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416

Exploit, Third Party Advisory x_refsource_misc

https://blog.doyensec.com/2019/04/24/rubyzip-bug.html

Scores

CVSS v3 7.3

EPSS 0.0276

EPSS Percentile 84.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

rapid7/metasploit < 4.14.0

Published Apr 30, 2019

Tracked Since Feb 18, 2026