Velociraptor Artifact Perm Bypass Allows Arbitrary Cmd Exec
CVE-2025-6264 Published on June 20, 2025

Velociraptor priviledge escalation via UpdateConfig artifact
Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.  To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).

NVD

Known Exploited Vulnerability

This Rapid7 Velociraptor Incorrect Default Permissions Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Rapid7 Velociraptor contains an incorrect default permissions vulnerability that can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint.

The following remediation steps are recommended / required by November 4, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2025-6264 is exploitable with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.


Products Associated with CVE-2025-6264

Want to know whenever a new CVE is published for Rapid7 Velociraptor? stack.watch will email you.

Rapid7 Velociraptor
 

Affected Versions

Rapid7 Velociraptor:

Exploit Probability

EPSS
0.10%
Percentile
26.93%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.