- Description
- Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.ย To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).
- Source
- cve@rapid7.com
- NVD status
- Modified
- Products
- velociraptor
CVSS 3.1
- Type
- Secondary
- Base score
- 5.5
- Impact score
- 3.7
- Exploitability score
- 1.3
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
- Severity
- MEDIUM
- cve@rapid7.com
- CWE-276
- Hype score
- Not currently trending
CISA Warns of Active Ransomware Exploiting Velociraptor Flaw CISA added CVE-2025-6264, a critical vulnerability in Rapid7 Velociraptor, to its Known Exploited Vulnerabilities list, warning of active exploitation in ransomware attacks. Federal agencies have until Nov 4 to patch.
@Secwiserapp
15 Oct 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐จ CISA Warns: #Ransomware Actors Exploiting Rapid7 Velociraptor Vulnerability (#CVE-2025-6264) https://t.co/6ZL25TdceL
@UndercodeNews
15 Oct 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Patch Rapid7 Velociraptor NOW to Block Privilege Escalation (CVE-2025-6264) Read the full report on - https://t.co/VAalRle6zw https://t.co/JlxK0MU45e
@Iambivash007
15 Oct 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Storm-2603 (Gold Salem) turned the legal Dfir-tool Velocirapptor on a remedy by using expression SharePoint Toolshell for entry and an outdated version Velocirapptor with vulnerability Cve-2025-6264 โจ๏ธ ๐ง The offenders created blanket administrative accounts, moving through
@Hack_Your_Mom
11 Oct 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐จ ๐๐๐ฐ ๐ฏ๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ฒ ๐๐ง๐๐ฅ๐ฒ๐ฌ๐ข๐ฌ ๐ฉ๐ฎ๐๐ฅ๐ข๐ฌ๐ก๐๐! Hackers hijack Velociraptor using CVE-2025-6264 to deploy ransomware. Learn how to secure your org against DFIR tool misuse. ๐ Check t
@PurpleOps_io
10 Oct 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Tools built for defense are now being weaponized. Hackers are abusing the Velociraptor DFIR tool in ransomware attacks (LockBit & Babuk), exploiting CVE-2025-6264 to escalate privileges and disable protections. ๐ https://t.co/QZUUJcQvLo #Ransomware #CyberCrime #CyberAt
@blackfogprivacy
10 Oct 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
"๐จ Alert: Ransomware operators exploiting Velociraptor tool with CVE-2025-6264 vuln. Linked to China's Storm-2603. Deployed Warlock, LockBit, Babuk ransomware on VMware ESXi & Windows servers. Mit
@Tudorel92659164
10 Oct 2025
68 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-6264 Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissioโฆ https://t.co/ymLgeQK5Hq
@CVEnew
21 Jun 2025
472 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-6264
@transilienceai
21 Jun 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9A8E9B27-890E-4DB0-8E79-8E900135B4AB",
"versionEndExcluding": "0.74.3"
}
],
"operator": "OR"
}
]
}
]