Velociraptor, Privilege Escalation, CVE-2025-XXXXX (Moderate)

Listen to this Post

How the CVE Works:

Velociraptor’s `Admin.Client.UpdateClientConfig` artifact, used for updating client configurations, lacks proper permission enforcement. Normally, dangerous artifacts require high privileges like EXECVE. However, this artifact only checks for `COLLECT_CLIENT` permissions, typically granted to the “Investigator” role. Attackers with this permission can exploit the artifact to modify client configurations, leading to arbitrary command execution and endpoint compromise. Exploitation requires prior access to collect artifacts from endpoints.

DailyCVE Form:

Platform: Velociraptor
Version: < 0.74.3
Vulnerability: Privilege Escalation
Severity: Moderate
Date: Jun 20, 2025

Prediction: Patch by Jul 10, 2025

What Undercode Say:

velociraptor artifacts collect Admin.Client.UpdateClientConfig --target ENDPOINT_ID
vql_query "SELECT FROM artifacts WHERE name = 'Admin.Client.UpdateClientConfig'"

How Exploit:

1. Acquire `COLLECT_CLIENT` permission.

2. Use the artifact to modify client configs.

3. Execute arbitrary commands.

Protection from this CVE:

  • Upgrade to v0.74.3.
  • Restrict `COLLECT_CLIENT` permissions.
  • Audit artifact access logs.

Impact:

  • Endpoint takeover.
  • Unauthorized command execution.
  • Configuration manipulation.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top