CVE Alert: CVE-2025-6264 – Rapid7 – Velociraptor

**Risk verdict** High risk: exploitation is actively present, requiring urgent remediation.

**Why this matters** Velociraptor artifacts can run with elevated permissions, and this flaw allows users with COLLECT_CLIENT rights to harvest artifacts and update configuration without a strengthened permission check. Successful exploitation can yield arbitrary command execution and endpoint takeover, enabling ransomware deployment, persistence, or data exfiltration across managed hosts.

**Most likely attack path** An attacker who already possesses COLLECT_CLIENT (Investigator) access can trigger the problematic Admin.Client.UpdateClientConfig artifact to alter client settings. The attack is network-accessible but bounded by the need for prior privileged access; once triggered, commands may execute with elevated rights, and Scope is CHANGED, permitting broader impact beyond the initial host.

**Who is most exposed** Environments deploying Velociraptor with investigator-level artifact permissions or lax RBAC are most at risk, particularly where centralized artifact management or broad artifact visibility exists.

Detection ideas

• Unusual or elevated use of UpdateClientConfig artifact by non-admins
• Artifacts collection events from Investigator roles outside normal maintenance windows
• Unexpected or privileged commands executed on endpoints
• Configuration changes without corresponding admin actions
• Anomalous asset behaviour following artifact collection

Mitigation and prioritisation

• Apply fixed release (0.74.3+) and follow vendor advisories
• Enforce strict RBAC to limit COLLECT_CLIENT access; restrict UpdateClientConfig usage
• Enable artifact verifier and promote basic artifacts to reduce risky operations
• Implement least privilege for artifact execution and require elevated approvals for config changes
• Plan patch deployment in staging first; monitor for suspicious artifact activity during rollout