CVE-2020-7384

HIGH

Rapid7 Metasploit < 4.19.0 - Command Injection

Title source: rule

Description

Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.

Exploits (4)

exploitdb WORKING POC

by Justin Steven · pythonlocalmultiple

https://www.exploit-db.com/exploits/49491

View Code ZIP pw:eip

nomisec WORKING POC 10 stars

by nikhil1232 · poc

https://github.com/nikhil1232/CVE-2020-7384

View Code ZIP pw:eip

nomisec WORKING POC

by CarsonShaffer · poc

https://github.com/CarsonShaffer/CVE-2020-7384

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Justin Steven · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection.rb

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/160004/Rapid7-Metasploit-Framework-msfvenom-APK-Template-Command-Injection.html

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/161200/Metasploit-Framework-6.0.11-Command-Injection.html

[Exploit, Patch, Third Party Advisory] https://github.com/rapid7/metasploit-framework/pull/14288

Scores

CVSS v3 7.0

EPSS 0.7009

EPSS Percentile 98.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (1)

rapid7/metasploit < 4.19.0

Published Oct 29, 2020

Tracked Since Feb 18, 2026