CVE-2020-7385

Name: CVE-2020-7385
Creator: NVD / NIST
Published: 2021-04-23T16:15:08.44+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 1.75%

Last modified Jun 17, 2026

CVE-2020-7385 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with elevated privileges, this can lead to a system compromise on the Metasploit workstation. EPSS estimates a 1.75% chance of exploitation in the next 30 days.

Description

By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with elevated privileges, this can lead to a system compromise on the Metasploit workstation. Note that an attacker would have to lie in wait and entice the Metasploit user to run the affected module against a malicious endpoint in a "hack-back" type of attack. Metasploit is only vulnerable when the drb_remote_codeexec module is running. In most cases, this cannot happen automatically.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

1.75%

75.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Rapid7	Metasploit	< 4.19.0

References

https://github.com/rapid7/metasploit-framework/pull/14300Exploit, Patch, Third Party Advisory
https://github.com/rapid7/metasploit-framework/pull/14335Patch, Third Party Advisory
https://help.rapid7.com/metasploit/release-notes/archive/2020/10/Release Notes, Vendor Advisory
https://github.com/rapid7/metasploit-framework/pull/14300Exploit, Patch, Third Party Advisory
https://github.com/rapid7/metasploit-framework/pull/14335Patch, Third Party Advisory
https://help.rapid7.com/metasploit/release-notes/archive/2020/10/Release Notes, Vendor Advisory

Timeline

Published: Apr 23, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-7385?

How severe is CVE-2020-7385?

CVE-2020-7385 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 1.75% probability of exploitation in the next 30 days.

How do I fix CVE-2020-7385?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-7385?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST