CVE-2025-6264

MEDIUM EPSS 57.2%
Published Jun 20, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jun 20, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.  To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).

CVSS Details

Base Score
5.5
Exploitability
1.3
Impact
3.7
Vector string
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope Changed
Confidentiality Low
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
57.2% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-276

Affected Products 1

VendorProductVersionRange
rapid7velociraptor* <0.74.3

References 3

  • blog.talosintelligence.com https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/
    ExploitThird Party Advisory
  • docs.velociraptor.app https://docs.velociraptor.app/announcements/advisories/cve-2025-6264/
    MitigationVendor Advisory
  • news.sophos.com https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
    ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.