CVE-2025-6264
June 20, 2025
Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.
The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration.
This can lead to arbitrary command execution and endpoint takeover.
To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).
Affected Packages
https://github.com/Velocidex/velociraptor.git (GITHUB):
Affected version(s) >=v0.1 <v0.74.3Fix Suggestion:
Update to version v0.74.3Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (11)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
Exploit Maturity
ATTACKED
CVSS v3
Base Score:
5.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Exploit Maturity
HIGH
Weakness Type (CWE)
Incorrect Default Permissions
EPSS
Base Score:
0.09
