On August 7, my compatriots here at Rapid7 released version 5.7.3 of Nexpose, which, among other feature enhancements, patched a post-authentication vulnerability in the Nexpose console in versions 5.7.2 and likely earlier. The issue in particular was reported by a Rapid7 partner, Infigo IS. In addition to being a Rapid7 reseller, Infigo also performs contract penetration testing. During the course of an assessment, researcher Drazen Popvic discovered an XXE vulnerability in our product.

Interestingly, at nearly the same time, Rapid7 software engineer and Metasploit contributor Brandon Perry had also discovered the same XXE bug, albeit over a different vector. The Nexpose team worked closely with both reporters to validate their findings, and ultimately issued a patch about three weeks after Infigo's notification.

Because a Metasploit contributor was involved, it was natural to express the vulnerability as a Metasploit module -- this is being landed in the Metasploit GitHub source repository as the Nexpose XXE Arbitrary File Read module.

I'd like to take a moment to thank both Infigo and Brandon for using processes very similar to our own Disclosure Policy, and helping us to make Nexpose a better product overall. As always, if you have noticed a security issue with Nexpose, Metasploit, or any other Rapid7 product or service, please feel free to use our PGP key and write to security@rapid7.com so we can protect our users, and by extension, their network constituencies. After all, we try to practice what we preach about open and honest reasonable vulnerability disclosure.