Listen to this Post
How the CVE Works:
Velociraptor’s `Admin.Client.UpdateClientConfig` artifact, used for updating client configurations, lacks proper permission enforcement. Normally, dangerous artifacts require high privileges like EXECVE
. However, this artifact only checks for `COLLECT_CLIENT` permissions, typically granted to the “Investigator” role. Attackers with this permission can exploit the artifact to modify client configurations, leading to arbitrary command execution and endpoint compromise. Exploitation requires prior access to collect artifacts from endpoints.
DailyCVE Form:
Platform: Velociraptor
Version: < 0.74.3
Vulnerability: Privilege Escalation
Severity: Moderate
Date: Jun 20, 2025
Prediction: Patch by Jul 10, 2025
What Undercode Say:
velociraptor artifacts collect Admin.Client.UpdateClientConfig --target ENDPOINT_ID vql_query "SELECT FROM artifacts WHERE name = 'Admin.Client.UpdateClientConfig'"
How Exploit:
1. Acquire `COLLECT_CLIENT` permission.
2. Use the artifact to modify client configs.
3. Execute arbitrary commands.
Protection from this CVE:
- Upgrade to v0.74.3.
- Restrict `COLLECT_CLIENT` permissions.
- Audit artifact access logs.
Impact:
- Endpoint takeover.
- Unauthorized command execution.
- Configuration manipulation.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode