Elevated Permission Vulnerability in Velociraptor Software
CVE-2025-6264
Key Information:
- Vendor
Rapid7
- Status
- Vendor
- CVE Published:
- 20 June 2025
Badges
What is CVE-2025-6264?
Velociraptor, a powerful endpoint monitoring tool, contains a serious flaw that permits users with limited permissions to execute potentially harmful commands. Specifically, the artifact responsible for updating client configuration, Admin.Client.UpdateClientConfig, does not enforce necessary permission checks. This oversight allows users granted COLLECT_CLIENT permissions, often assigned to those in the Investigator role, to execute arbitrary commands and potentially take control of affected endpoints. To mitigate this risk, it is essential for users and administrators to ensure that only authorized personnel can collect and manage these artifacts, thereby safeguarding sensitive operations within their environment.
CISA has reported CVE-2025-6264
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-6264 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Velociraptor Windows 0 < 0.74.3
News Articles
Security AffairsReferences
CVSS V3.1
Timeline
- 📰
First article discovered by Security Affairs
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 🦅
CISA Reported
Vulnerability published
Vulnerability Reserved