Emmett Kelly

**Name of the Vulnerable Software and Affected Versions** Rapid7 Nexpose and InsightVM versions prior to 6.6.172 **Description** The issue is related to the failure of Rapid7 Nexpose and InsightVM to reliably validate the authenticity of update contents. This could allow an attacker to provide a malicious update, altering the functionality of Rapid7 Nexpose. The attacker would need a pre-existing mechanism to provide a malicious update, such as through social engineering, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself. **Recommendations** For versions prior to 6.6.172, update to version 6.6.172 or later to resolve the issue. As a temporary workaround, consider restricting access to the update service to minimize the risk of exploitation. Avoid using unverified update sources until the issue is resolved.