Search

Find a vulnerability

Search criteria

    40 vulnerabilities found for velociraptor by rapid7

    CVE-2026-8795 (GCVE-0-2026-8795)

    Vulnerability from nvd – Published: 2026-06-09 01:04 – Updated: 2026-06-10 03:58
    VLAI
    Summary
    A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.76.6 (semver)
    Create a notification for this product.
    Credits
    Artificial Intelligence
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8795",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T03:58:30.695Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux",
                "Windows",
                "macOS"
              ],
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Artificial Intelligence"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go\u0027s text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).\u003c/p\u003e"
                }
              ],
              "value": "A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go\u0027s text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-549",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-549: Local Execution of Code"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116: Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-09T01:04:21.775Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "name": "Velociraptor Security Advisory CVE-2026-8795",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-8795/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-8795",
        "datePublished": "2026-06-09T01:04:21.775Z",
        "dateReserved": "2026-05-17T23:31:05.101Z",
        "dateUpdated": "2026-06-10T03:58:30.695Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6863 (GCVE-0-2026-6863)

    Vulnerability from nvd – Published: 2026-05-06 14:50 – Updated: 2026-05-06 15:27
    VLAI
    Title
    HTTP Filestore Endpoints Misapply Permissions Across Organizations
    Summary
    Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.76.4, 0.75.9 (semver)
    Create a notification for this product.
    Credits
    We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6863",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T15:26:49.596766Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T15:27:40.088Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.76.4, 0.75.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eVelociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.\u003c/p\u003e\u003cp\u003eHowever, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.\u003c/p\u003e"
                }
              ],
              "value": "Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.\n\n\n\nHowever, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T14:54:19.814Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eTo remediate, you will need to\u0026nbsp;\u003ca href=\"https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade\"\u003eupgrade your server\u003c/a\u003e\u0026nbsp;to the latest version of your release:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor 0.76 releases, upgrade immediately to\u0026nbsp;\u003ca href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64\" target=\"_blank\"\u003ev0.76.4\u003c/a\u003e\u003c/li\u003e\u003cli\u003eFor 0.75 releases, upgrade immediately to\u0026nbsp;\u003ca href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64\" target=\"_blank\"\u003ev0.75.9\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "To remediate, you will need to\u00a0 upgrade your server https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade \u00a0to the latest version of your release:\n\n  *  For 0.76 releases, upgrade immediately to\u00a0 v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64 \n  *  For 0.75 releases, upgrade immediately to\u00a0 v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64"
            }
          ],
          "source": {
            "advisory": "docs.velociraptor.app/announcements/advisories/cve-2026-6863/",
            "discovery": "UNKNOWN"
          },
          "title": "HTTP Filestore Endpoints Misapply Permissions Across Organizations",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-6863",
        "datePublished": "2026-05-06T14:50:55.631Z",
        "dateReserved": "2026-04-22T14:25:24.122Z",
        "dateUpdated": "2026-05-06T15:27:40.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7573 (GCVE-0-2026-7573)

    Vulnerability from nvd – Published: 2026-05-06 02:15 – Updated: 2026-05-06 16:17
    VLAI
    Title
    GetUserRoles API endpoint allows any authenticated user to enumerate ACL policies across all organizations
    Summary
    An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Velocidex velociraptor Affected: 0 , < 0.76.5 (semver)
    Create a notification for this product.
    Credits
    michaelddickenson
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7573",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T16:16:13.288762Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T16:17:18.756Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "github.com/Velocidex/velociraptor",
              "product": "velociraptor",
              "vendor": "Velocidex",
              "versions": [
                {
                  "lessThan": "0.76.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "michaelddickenson"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.\u003c/p\u003e"
                }
              ],
              "value": "An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T02:15:34.491Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "GetUserRoles API endpoint allows any authenticated user to enumerate ACL policies across all organizations",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-7573",
        "datePublished": "2026-05-06T02:15:34.491Z",
        "dateReserved": "2026-05-01T00:05:56.823Z",
        "dateUpdated": "2026-05-06T16:17:18.756Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7572 (GCVE-0-2026-7572)

    Vulnerability from nvd – Published: 2026-05-06 02:38 – Updated: 2026-05-06 16:42
    VLAI
    Title
    Velociraptor EVTX Parser — Process Crash via Crafted .evtx File
    Summary
    An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Velocidex velociraptor Affected: 0 , < 0.76.5 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7572",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T16:24:23.747912Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T16:42:17.097Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "github.com/Velocidex/velociraptor",
              "platforms": [
                "Windows",
                "Linux"
              ],
              "product": "velociraptor",
              "vendor": "Velocidex",
              "versions": [
                {
                  "lessThan": "0.76.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin."
                }
              ],
              "value": "An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-617",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-617 Cellular Rogue Base Station"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-193",
                  "description": "CWE-193: Off-by-one Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T02:38:59.573Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Velociraptor EVTX Parser \u2014 Process Crash via Crafted .evtx File",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-7572",
        "datePublished": "2026-05-06T02:38:59.573Z",
        "dateReserved": "2026-05-01T00:05:50.505Z",
        "dateUpdated": "2026-05-06T16:42:17.097Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6948 (GCVE-0-2026-6948)

    Vulnerability from nvd – Published: 2026-05-03 23:55 – Updated: 2026-06-19 12:45
    VLAI
    Title
    Unbounded Memory Allocation in VQLResponse Result-Set Writer
    Summary
    Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of resources without limits or throttling
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.76.4 (custom)
    Affected: 0 , < 0.75.9 (custom)
    Create a notification for this product.
    Date Public
    2026-04-27 14:00
    Credits
    We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly. We also thank Mika Jarvinen (mika.jarvinen@kapsi.fi) for reporting this issue responsibly at the same time. We also thank HE WEI(ギカク)(https://www.linkedin.com/in/gikaku/) for identifying and reporting an additional vulnerable code path related to this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6948",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-04T13:08:05.344047Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-04T13:08:18.314Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.76.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "0.75.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly."
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "We also thank Mika Jarvinen (mika.jarvinen@kapsi.fi) for reporting this issue responsibly at the same time."
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "We also thank HE WEI\uff08\u30ae\u30ab\u30af\uff09(https://www.linkedin.com/in/gikaku/) for identifying and reporting an additional vulnerable code path related to this issue."
            }
          ],
          "datePublic": "2026-04-27T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eVelociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server\u0027s agent control channel.\u003c/p\u003e\u003cp\u003eThis allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.\u003c/p\u003e"
                }
              ],
              "value": "Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server\u0027s agent control channel.\n\n\n\nThis allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of resources without limits or throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T12:45:13.562Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eTo remediate, you will need to\u0026nbsp;\u003ca href=\"https://www.velociraptor-docs.org/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade\"\u003eupgrade your server\u003c/a\u003e\u0026nbsp;to the latest version of your release:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor 0.76 releases, upgrade immediately to\u0026nbsp;\u003ca href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64\" target=\"_blank\"\u003ev0.76.4\u003c/a\u003e\u003c/li\u003e\u003cli\u003eFor 0.75 releases, upgrade immediately to\u0026nbsp;\u003ca href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64\" target=\"_blank\"\u003ev0.75.9\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "To remediate, you will need to\u00a0 upgrade your server https://www.velociraptor-docs.org/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade \u00a0to the latest version of your release:\n\n  *  For 0.76 releases, upgrade immediately to\u00a0 v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64 \n  *  For 0.75 releases, upgrade immediately to\u00a0 v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64"
            }
          ],
          "source": {
            "advisory": "https://www.velociraptor-docs.org/announcements/advisories/cve-2",
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-19T14:00:00.000Z",
              "value": "Initial report by Faisal Alhumaid"
            },
            {
              "lang": "en",
              "time": "2026-04-19T14:00:00.000Z",
              "value": "Initial report by Mika Jarvinen"
            },
            {
              "lang": "en",
              "time": "2026-04-27T23:50:00.000Z",
              "value": "Advisory published and patch distributed"
            }
          ],
          "title": "Unbounded Memory Allocation in VQLResponse Result-Set Writer",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-6948",
        "datePublished": "2026-05-03T23:55:40.555Z",
        "dateReserved": "2026-04-24T03:35:48.568Z",
        "dateUpdated": "2026-06-19T12:45:13.562Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6290 (GCVE-0-2026-6290)

    Vulnerability from nvd – Published: 2026-04-15 17:29 – Updated: 2026-04-16 03:55
    VLAI
    Title
    Velociraptor Query() Plugin Misapplies Permissions To Orgs
    Summary
    Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.76.3, 0.75.8 (semver)
    Create a notification for this product.
    Credits
    Faisal Alhumaid
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6290",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T03:55:38.112Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.76.3, 0.75.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Faisal Alhumaid"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user\u0027s current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user\u0027s permissions in the other org are\u003cbr\u003ethe same as the permissions they have in the org containing the notebook."
                }
              ],
              "value": "Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user\u0027s current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user\u0027s permissions in the other org are\nthe same as the permissions they have in the org containing the notebook."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T17:29:04.306Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6290/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Velociraptor Query() Plugin Misapplies Permissions To Orgs",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-6290",
        "datePublished": "2026-04-15T17:29:04.306Z",
        "dateReserved": "2026-04-14T17:31:37.803Z",
        "dateUpdated": "2026-04-16T03:55:38.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5329 (GCVE-0-2026-5329)

    Vulnerability from nvd – Published: 2026-04-09 17:52 – Updated: 2026-04-16 17:55
    VLAI
    Title
    Rapid7 Velociraptor Improper Input Validation in Client Message Handler
    Summary
    Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , ≤ 0.76.3 (semver)
    Affected: 0 , ≤ 0.75.6 (semver)
    Affected: 0 , ≤ 0.74.6 (semver)
    Create a notification for this product.
    Credits
    We thank Chris Au (@netero_1010) from NyxLab for identifying and reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5329",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T03:56:08.816Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThanOrEqual": "0.76.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "0.75.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "0.74.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "We thank Chris Au (@netero_1010) from NyxLab for identifying and reporting this issue."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor versions prior to 0.76.2\u0026nbsp;contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker  to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages\u0026nbsp;does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability."
                }
              ],
              "value": "Rapid7 Velociraptor versions prior to 0.76.2\u00a0contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker  to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages\u00a0does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-240",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-240 Resource Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T17:55:09.212Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Rapid7 Velociraptor Improper Input Validation in Client Message Handler",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-5329",
        "datePublished": "2026-04-09T17:52:05.885Z",
        "dateReserved": "2026-04-01T13:33:23.515Z",
        "dateUpdated": "2026-04-16T17:55:09.212Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14728 (GCVE-0-2025-14728)

    Vulnerability from nvd – Published: 2025-12-29 19:04 – Updated: 2025-12-30 22:26
    VLAI
    Title
    Rapid7 Velociraptor Directory Traversal Vulnerability
    Summary
    Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E". Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.75.6 (semver)
    Create a notification for this product.
    Credits
    We thank @_chebuya for identifying and reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14728",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-30T21:54:55.659289Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-30T22:26:47.316Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.75.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThis vulnerability only occurs on Velociraptor server running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected.\u003c/p\u003e\n\n\n\n\n\u003cbr\u003e"
                }
              ],
              "value": "This vulnerability only occurs on Velociraptor server running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "We thank @_chebuya for identifying and reporting this issue."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eRapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a \".\", only encoding the final \".\" AS \"%2E\".\u003c/p\u003e\n\u003cp\u003eAlthough files can be written to incorrect locations, the containing directory must end with \"%2E\". This limits the impact of this vulnerability, and prevents it from overwriting critical files.\u003c/p\u003e"
                }
              ],
              "value": "Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a \".\", only encoding the final \".\" AS \"%2E\".\n\n\nAlthough files can be written to incorrect locations, the containing directory must end with \"%2E\". This limits the impact of this vulnerability, and prevents it from overwriting critical files."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-23",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-23 File Content Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-29T19:04:27.820Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Rapid7 Velociraptor Directory Traversal Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2025-14728",
        "datePublished": "2025-12-29T19:04:27.820Z",
        "dateReserved": "2025-12-15T16:45:47.021Z",
        "dateUpdated": "2025-12-30T22:26:47.316Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-6264 (GCVE-0-2025-6264)

    Vulnerability from nvd – Published: 2025-06-20 02:01 – Updated: 2025-11-28 19:10
    VLAI KEVIntel
    Title
    Velociraptor priviledge escalation via UpdateConfig artifact
    Summary
    Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.  To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.74.3 (semver)
    Create a notification for this product.
    Date Public
    2025-06-19 00:44
    Credits
    We thank Christian Fünfhaus from Deutsche Bahn CSIRT for identifying and reporting this issue
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-6264",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-28T19:10:10.273114Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-28T19:10:18.293Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "url": "https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/"
              },
              {
                "url": "https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.74.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Users who rely on artifacts to prevent dangerous actions from already privileged users."
                }
              ],
              "value": "Users who rely on artifacts to prevent dangerous actions from already privileged users."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "We thank Christian F\u00fcnfhaus  from Deutsche Bahn CSIRT for identifying and reporting this issue"
            }
          ],
          "datePublic": "2025-06-19T00:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.\u0026nbsp; To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.\u003cbr\u003e\u003cbr\u003eThe Admin.Client.UpdateClientConfig is an artifact used to update the client\u0027s configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the \"Investigator\" role) to collect it from endpoints and update the configuration. \u003cbr\u003e\u003cbr\u003eThis can lead to arbitrary command execution and endpoint takeover.\u003cbr\u003e\u003cbr\u003eTo successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the \"Investigator\u0027 role).\u0026nbsp;"
                }
              ],
              "value": "Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.\u00a0 To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.\n\nThe Admin.Client.UpdateClientConfig is an artifact used to update the client\u0027s configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the \"Investigator\" role) to collect it from endpoints and update the configuration. \n\nThis can lead to arbitrary command execution and endpoint takeover.\n\nTo successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the \"Investigator\u0027 role)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-23",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-23 File Content Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276 Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-22T23:23:30.800Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-6264/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Velociraptor priviledge escalation via UpdateConfig artifact",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "To better restrict the types of artifacts users can run, the `basic artifacts` mechanism should be used as described\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts\"\u003ehttps://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts\u003c/a\u003e\u003cbr\u003e\u003cbr\u003eTo detect unintended privilege escalations in custom artifacts, users should run the artifact verifier as described here\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts\"\u003ehttps://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts\u003c/a\u003e"
                }
              ],
              "value": "To better restrict the types of artifacts users can run, the `basic artifacts` mechanism should be used as described\u00a0 https://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts \n\nTo detect unintended privilege escalations in custom artifacts, users should run the artifact verifier as described here\u00a0 https://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2025-6264",
        "datePublished": "2025-06-20T02:01:33.993Z",
        "dateReserved": "2025-06-19T00:22:46.272Z",
        "dateUpdated": "2025-11-28T19:10:18.293Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0914 (GCVE-0-2025-0914)

    Vulnerability from nvd – Published: 2025-02-27 16:07 – Updated: 2025-02-27 16:19
    VLAI
    Title
    Velociraptor Shell Plugin Prevent_execve Bypass
    Summary
    An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-281 - Improper Preservation of Permissions
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.73.4 (semver)
    Create a notification for this product.
    Credits
    Darragh O'Reilly, SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0914",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-27T16:19:47.398915Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-27T16:19:54.044Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.73.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Darragh O\u0027Reilly, SUSE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper access control issue in the VQL shell feature in Velociraptor Versions \u0026lt; 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.\u003cbr\u003e"
                }
              ],
              "value": "An improper access control issue in the VQL shell feature in Velociraptor Versions \u003c 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-176",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-176 Configuration/Environment Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-281",
                  "description": "CWE-281 Improper Preservation of Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-27T16:07:49.577Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-0914/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Velociraptor Shell Plugin Prevent_execve Bypass",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2025-0914",
        "datePublished": "2025-02-27T16:07:49.577Z",
        "dateReserved": "2025-01-30T22:39:47.257Z",
        "dateUpdated": "2025-02-27T16:19:54.044Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10526 (GCVE-0-2024-10526)

    Vulnerability from nvd – Published: 2024-11-07 10:18 – Updated: 2024-11-07 18:31
    VLAI
    Title
    Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service
    Summary
    Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.  This issue is fixed in version 0.73.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-552 - Files or Directories Accessible to External Parties
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: <0.73.2 (custom)
    Create a notification for this product.
    rapid7 velociraptor Affected: 0 , < 0.73.2 (custom)
        cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-11-05 12:00
    Credits
    Jean-Baptiste Mesnard-Sense from Synackti
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "velociraptor",
                "vendor": "rapid7",
                "versions": [
                  {
                    "lessThan": "0.73.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10526",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T18:29:55.331358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T18:31:26.561Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c0.73.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jean-Baptiste Mesnard-Sense from Synackti"
            }
          ],
          "datePublic": "2024-11-05T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor\u0027s files. By modifying Velociraptor\u0027s files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.\u0026nbsp; This issue is fixed in version 0.73.3."
                }
              ],
              "value": "Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor\u0027s files. By modifying Velociraptor\u0027s files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.\u00a0 This issue is fixed in version 0.73.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "USER",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "DIFFUSE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:D/RE:L/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-552",
                  "description": "CWE-552 Files or Directories Accessible to External Parties",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-07T10:29:26.459Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/2024-cves/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2024-10526",
        "datePublished": "2024-11-07T10:18:05.530Z",
        "dateReserved": "2024-10-30T10:22:28.725Z",
        "dateUpdated": "2024-11-07T18:31:26.561Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-5950 (GCVE-0-2023-5950)

    Vulnerability from nvd – Published: 2023-11-06 14:30 – Updated: 2024-09-05 13:42
    VLAI
    Title
    Rapid7 Velociraptor Reflected XSS
    Summary
    Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.7.0-4 (custom)
    Create a notification for this product.
    Credits
    Mathias Kujala
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:14:25.134Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.7.0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-5950",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-05T13:41:29.922872Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-05T13:42:38.581Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.7.0-4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Mathias Kujala"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user\u0027s web browser.\u0026nbsp;This vulnerability is fixed in\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;version 0.7.0-04 and a\u003c/span\u003e\u0026nbsp;patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user\u0027s web browser.\u00a0This vulnerability is fixed in\u00a0version 0.7.0-04 and a\u00a0patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-06T14:30:28.972Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.7.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Rapid7 Velociraptor Reflected XSS ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2023-5950",
        "datePublished": "2023-11-06T14:30:28.972Z",
        "dateReserved": "2023-11-03T10:13:59.198Z",
        "dateUpdated": "2024-09-05T13:42:38.581Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2226 (GCVE-0-2023-2226)

    Vulnerability from nvd – Published: 2023-04-21 11:48 – Updated: 2025-02-04 20:33
    VLAI
    Title
    Velociraptor crashes while parsing some malformed PE or OLE files.
    Summary
    Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.  For this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.6.8 (semver)
    Create a notification for this product.
    Date Public
    2023-04-21 11:45
    Credits
    Thanks to b1tg https://github.com/b1tg for reporting these issues and providing samples that trigger the crashes
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:12:20.691Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Velocidex/velociraptor"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T20:33:39.813217Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-04T20:33:45.232Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/Velocidex/velociraptor/releases",
              "defaultStatus": "unaffected",
              "modules": [
                "PE Parser",
                "OLE parser",
                "Authenticode parser"
              ],
              "packageName": "Velociraptor",
              "platforms": [
                "Windows"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor/",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.6.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thanks to b1tg https://github.com/b1tg for reporting these issues and providing samples that trigger the crashes"
            }
          ],
          "datePublic": "2023-04-21T11:45:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Due to insufficient validation in the PE and OLE parsers in Rapid7\u0027s Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eFor this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Due to insufficient validation in the PE and OLE parsers in Rapid7\u0027s Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.\u00a0\n\nFor this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-540",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-540 Overread Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-21T11:48:46.279Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://github.com/Velocidex/velociraptor"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade the clients to version 0.6.8-2"
                }
              ],
              "value": "Upgrade the clients to version 0.6.8-2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Velociraptor crashes while parsing some malformed PE or OLE files.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2023-2226",
        "datePublished": "2023-04-21T11:48:46.279Z",
        "dateReserved": "2023-04-21T11:40:07.131Z",
        "dateUpdated": "2025-02-04T20:33:45.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0290 (GCVE-0-2023-0290)

    Vulnerability from nvd – Published: 2023-01-18 21:10 – Updated: 2025-04-03 19:52
    VLAI
    Title
    Rapid7 Velociraptor directory traversal in client ID parameter
    Summary
    Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client. Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to "administrator" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the "investigator" role. To exploit this vulnerability, the attacker must already have a Velociraptor user account at least "investigator" level, and be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI. This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.6.7-5 (semver)
    Create a notification for this product.
    Date Public
    2023-01-17 14:00
    Credits
    Paul Alkemade from Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:02:44.149Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Velocidex/velociraptor"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0290",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-02T15:57:02.778328Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T19:52:44.579Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/Velocidex/velociraptor/releases",
              "defaultStatus": "unaffected",
              "modules": [
                "CreateCollection API"
              ],
              "packageName": "Velociraptor",
              "platforms": [
                "Windows",
                "Linux",
                "MacOS",
                "64 bit",
                "32 bit"
              ],
              "product": "Velociraptor",
              "programFiles": [
                "https://github.com/Velocidex/velociraptor/blob/master/services/launcher/launcher.go"
              ],
              "programRoutines": [
                {
                  "name": "ScheduleArtifactCollection()"
                }
              ],
              "repo": "https://github.com/Velocidex/velociraptor/",
              "vendor": "Rapid7",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "0.6.7-5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"\u003cbr\u003e"
                }
              ],
              "value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"\n"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Paul Alkemade from Telstra"
            }
          ],
          "datePublic": "2023-01-17T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\u003cbr\u003e\u003cbr\u003eNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\u003cbr\u003e\u003cp\u003eTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u0026nbsp;be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\u003c/p\u003e\u003cp\u003eThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\n\nNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u00a0be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-18T21:10:42.929Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://github.com/Velocidex/velociraptor"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to 0.6.7-5\u003cbr\u003e"
                }
              ],
              "value": "Upgrade to 0.6.7-5\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2023-01-13T05:23:00.000Z",
              "value": "Notification of the issue"
            },
            {
              "lang": "en",
              "time": "2023-01-17T02:00:00.000Z",
              "value": "Release 0.6.7-5 made available on Github"
            }
          ],
          "title": "Rapid7 Velociraptor directory traversal in client ID parameter ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2023-0290",
        "datePublished": "2023-01-18T21:10:42.929Z",
        "dateReserved": "2023-01-13T15:10:30.966Z",
        "dateUpdated": "2025-04-03T19:52:44.579Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0242 (GCVE-0-2023-0242)

    Vulnerability from nvd – Published: 2023-01-18 20:57 – Updated: 2025-04-03 19:51
    VLAI
    Title
    Insufficient permission check in the VQL copy() function
    Summary
    Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server. The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor "investigator" role) to overwrite files on the server, including Velociraptor configuration files. To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least "analyst") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI). This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy(). This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.6.7-5 (semver)
    Create a notification for this product.
    Date Public
    2023-01-18 02:00
    Credits
    Paul Alkemade from Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:02:44.109Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "release-notes",
                  "x_transferred"
                ],
                "url": "https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0242",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-02T15:58:54.468796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T19:51:46.758Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/Velocidex/velociraptor/releases",
              "defaultStatus": "unaffected",
              "modules": [
                "VQL copy() function"
              ],
              "packageName": "Velociraptor",
              "platforms": [
                "Linux",
                "Windows",
                "MacOS",
                "64 bit",
                "32 bit"
              ],
              "product": "Velociraptor",
              "programFiles": [
                "https://github.com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go"
              ],
              "programRoutines": [
                {
                  "name": "copy()"
                }
              ],
              "repo": "https://github.com/Velocidex/velociraptor/",
              "vendor": "Rapid7",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "0.6.7-5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Velociraptor deployment with multiple users at lower roles than administrators, such as \"investigator\" and above."
                }
              ],
              "value": "Velociraptor deployment with multiple users at lower roles than administrators, such as \"investigator\" and above."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "analyst",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Paul Alkemade from Telstra"
            }
          ],
          "datePublic": "2023-01-18T02:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.\u003cbr\u003e\u003cbr\u003eThe VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor \"investigator\" role) to overwrite files on the server, including Velociraptor configuration files.\u003cbr\u003e\u003cbr\u003eTo exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least \"analyst\") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).\u003cbr\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go\"\u003ehttps://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go\u003c/a\u003e\u003c/tt\u003e and program routines \u003ctt\u003ecopy()\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.\n\nThe VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor \"investigator\" role) to overwrite files on the server, including Velociraptor configuration files.\n\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least \"analyst\") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).\nThis vulnerability is associated with program files  https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go  and program routines copy().\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-75",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-75 Manipulating Writeable Configuration Files"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-18T20:57:30.570Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to 0.6.7-5"
                }
              ],
              "value": "Upgrade to 0.6.7-5"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2023-01-12T07:00:00.000Z",
              "value": "Notification of the issue"
            },
            {
              "lang": "en",
              "time": "2023-01-17T02:00:00.000Z",
              "value": "Release 0.6.7-5 made available on Github"
            }
          ],
          "title": "Insufficient permission check in the VQL copy() function",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A valid workaround is to prevent the copy function in the Velociraptor allow list:\u003cbr\u003e\u003cbr\u003e1. In the configuration wizard answer yes to the question \"Do you want to restrict VQL functionality on the server?\"\u003cbr\u003e2. This will add a default allow list to the configuration file.\u003cbr\u003e3. Copy this allow list to your existing server.config.yaml\u003cbr\u003e4. Ensure the \"copy\" function is removed from the default allow list."
                }
              ],
              "value": "A valid workaround is to prevent the copy function in the Velociraptor allow list:\n\n1. In the configuration wizard answer yes to the question \"Do you want to restrict VQL functionality on the server?\"\n2. This will add a default allow list to the configuration file.\n3. Copy this allow list to your existing server.config.yaml\n4. Ensure the \"copy\" function is removed from the default allow list."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2023-0242",
        "datePublished": "2023-01-18T20:57:30.570Z",
        "dateReserved": "2023-01-12T13:35:35.391Z",
        "dateUpdated": "2025-04-03T19:51:46.758Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-8795 (GCVE-0-2026-8795)

    Vulnerability from cvelistv5 – Published: 2026-06-09 01:04 – Updated: 2026-06-10 03:58
    VLAI
    Summary
    A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.76.6 (semver)
    Create a notification for this product.
    Credits
    Artificial Intelligence
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8795",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T03:58:30.695Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux",
                "Windows",
                "macOS"
              ],
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Artificial Intelligence"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go\u0027s text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).\u003c/p\u003e"
                }
              ],
              "value": "A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go\u0027s text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-549",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-549: Local Execution of Code"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116: Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-09T01:04:21.775Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "name": "Velociraptor Security Advisory CVE-2026-8795",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-8795/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-8795",
        "datePublished": "2026-06-09T01:04:21.775Z",
        "dateReserved": "2026-05-17T23:31:05.101Z",
        "dateUpdated": "2026-06-10T03:58:30.695Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6863 (GCVE-0-2026-6863)

    Vulnerability from cvelistv5 – Published: 2026-05-06 14:50 – Updated: 2026-05-06 15:27
    VLAI
    Title
    HTTP Filestore Endpoints Misapply Permissions Across Organizations
    Summary
    Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.76.4, 0.75.9 (semver)
    Create a notification for this product.
    Credits
    We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6863",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T15:26:49.596766Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T15:27:40.088Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.76.4, 0.75.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eVelociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.\u003c/p\u003e\u003cp\u003eHowever, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.\u003c/p\u003e"
                }
              ],
              "value": "Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.\n\n\n\nHowever, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T14:54:19.814Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eTo remediate, you will need to\u0026nbsp;\u003ca href=\"https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade\"\u003eupgrade your server\u003c/a\u003e\u0026nbsp;to the latest version of your release:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor 0.76 releases, upgrade immediately to\u0026nbsp;\u003ca href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64\" target=\"_blank\"\u003ev0.76.4\u003c/a\u003e\u003c/li\u003e\u003cli\u003eFor 0.75 releases, upgrade immediately to\u0026nbsp;\u003ca href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64\" target=\"_blank\"\u003ev0.75.9\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "To remediate, you will need to\u00a0 upgrade your server https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade \u00a0to the latest version of your release:\n\n  *  For 0.76 releases, upgrade immediately to\u00a0 v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64 \n  *  For 0.75 releases, upgrade immediately to\u00a0 v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64"
            }
          ],
          "source": {
            "advisory": "docs.velociraptor.app/announcements/advisories/cve-2026-6863/",
            "discovery": "UNKNOWN"
          },
          "title": "HTTP Filestore Endpoints Misapply Permissions Across Organizations",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-6863",
        "datePublished": "2026-05-06T14:50:55.631Z",
        "dateReserved": "2026-04-22T14:25:24.122Z",
        "dateUpdated": "2026-05-06T15:27:40.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7572 (GCVE-0-2026-7572)

    Vulnerability from cvelistv5 – Published: 2026-05-06 02:38 – Updated: 2026-05-06 16:42
    VLAI
    Title
    Velociraptor EVTX Parser — Process Crash via Crafted .evtx File
    Summary
    An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Velocidex velociraptor Affected: 0 , < 0.76.5 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7572",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T16:24:23.747912Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T16:42:17.097Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "github.com/Velocidex/velociraptor",
              "platforms": [
                "Windows",
                "Linux"
              ],
              "product": "velociraptor",
              "vendor": "Velocidex",
              "versions": [
                {
                  "lessThan": "0.76.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin."
                }
              ],
              "value": "An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-617",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-617 Cellular Rogue Base Station"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-193",
                  "description": "CWE-193: Off-by-one Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T02:38:59.573Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Velociraptor EVTX Parser \u2014 Process Crash via Crafted .evtx File",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-7572",
        "datePublished": "2026-05-06T02:38:59.573Z",
        "dateReserved": "2026-05-01T00:05:50.505Z",
        "dateUpdated": "2026-05-06T16:42:17.097Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7573 (GCVE-0-2026-7573)

    Vulnerability from cvelistv5 – Published: 2026-05-06 02:15 – Updated: 2026-05-06 16:17
    VLAI
    Title
    GetUserRoles API endpoint allows any authenticated user to enumerate ACL policies across all organizations
    Summary
    An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Velocidex velociraptor Affected: 0 , < 0.76.5 (semver)
    Create a notification for this product.
    Credits
    michaelddickenson
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7573",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T16:16:13.288762Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T16:17:18.756Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "github.com/Velocidex/velociraptor",
              "product": "velociraptor",
              "vendor": "Velocidex",
              "versions": [
                {
                  "lessThan": "0.76.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "michaelddickenson"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.\u003c/p\u003e"
                }
              ],
              "value": "An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T02:15:34.491Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "GetUserRoles API endpoint allows any authenticated user to enumerate ACL policies across all organizations",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-7573",
        "datePublished": "2026-05-06T02:15:34.491Z",
        "dateReserved": "2026-05-01T00:05:56.823Z",
        "dateUpdated": "2026-05-06T16:17:18.756Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6948 (GCVE-0-2026-6948)

    Vulnerability from cvelistv5 – Published: 2026-05-03 23:55 – Updated: 2026-06-19 12:45
    VLAI
    Title
    Unbounded Memory Allocation in VQLResponse Result-Set Writer
    Summary
    Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of resources without limits or throttling
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.76.4 (custom)
    Affected: 0 , < 0.75.9 (custom)
    Create a notification for this product.
    Date Public
    2026-04-27 14:00
    Credits
    We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly. We also thank Mika Jarvinen (mika.jarvinen@kapsi.fi) for reporting this issue responsibly at the same time. We also thank HE WEI(ギカク)(https://www.linkedin.com/in/gikaku/) for identifying and reporting an additional vulnerable code path related to this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6948",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-04T13:08:05.344047Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-04T13:08:18.314Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.76.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "0.75.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly."
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "We also thank Mika Jarvinen (mika.jarvinen@kapsi.fi) for reporting this issue responsibly at the same time."
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "We also thank HE WEI\uff08\u30ae\u30ab\u30af\uff09(https://www.linkedin.com/in/gikaku/) for identifying and reporting an additional vulnerable code path related to this issue."
            }
          ],
          "datePublic": "2026-04-27T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eVelociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server\u0027s agent control channel.\u003c/p\u003e\u003cp\u003eThis allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.\u003c/p\u003e"
                }
              ],
              "value": "Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server\u0027s agent control channel.\n\n\n\nThis allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of resources without limits or throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T12:45:13.562Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eTo remediate, you will need to\u0026nbsp;\u003ca href=\"https://www.velociraptor-docs.org/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade\"\u003eupgrade your server\u003c/a\u003e\u0026nbsp;to the latest version of your release:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor 0.76 releases, upgrade immediately to\u0026nbsp;\u003ca href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64\" target=\"_blank\"\u003ev0.76.4\u003c/a\u003e\u003c/li\u003e\u003cli\u003eFor 0.75 releases, upgrade immediately to\u0026nbsp;\u003ca href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64\" target=\"_blank\"\u003ev0.75.9\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "To remediate, you will need to\u00a0 upgrade your server https://www.velociraptor-docs.org/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade \u00a0to the latest version of your release:\n\n  *  For 0.76 releases, upgrade immediately to\u00a0 v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64 \n  *  For 0.75 releases, upgrade immediately to\u00a0 v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64"
            }
          ],
          "source": {
            "advisory": "https://www.velociraptor-docs.org/announcements/advisories/cve-2",
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-19T14:00:00.000Z",
              "value": "Initial report by Faisal Alhumaid"
            },
            {
              "lang": "en",
              "time": "2026-04-19T14:00:00.000Z",
              "value": "Initial report by Mika Jarvinen"
            },
            {
              "lang": "en",
              "time": "2026-04-27T23:50:00.000Z",
              "value": "Advisory published and patch distributed"
            }
          ],
          "title": "Unbounded Memory Allocation in VQLResponse Result-Set Writer",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-6948",
        "datePublished": "2026-05-03T23:55:40.555Z",
        "dateReserved": "2026-04-24T03:35:48.568Z",
        "dateUpdated": "2026-06-19T12:45:13.562Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6290 (GCVE-0-2026-6290)

    Vulnerability from cvelistv5 – Published: 2026-04-15 17:29 – Updated: 2026-04-16 03:55
    VLAI
    Title
    Velociraptor Query() Plugin Misapplies Permissions To Orgs
    Summary
    Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.76.3, 0.75.8 (semver)
    Create a notification for this product.
    Credits
    Faisal Alhumaid
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6290",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T03:55:38.112Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.76.3, 0.75.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Faisal Alhumaid"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user\u0027s current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user\u0027s permissions in the other org are\u003cbr\u003ethe same as the permissions they have in the org containing the notebook."
                }
              ],
              "value": "Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user\u0027s current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user\u0027s permissions in the other org are\nthe same as the permissions they have in the org containing the notebook."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T17:29:04.306Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6290/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Velociraptor Query() Plugin Misapplies Permissions To Orgs",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-6290",
        "datePublished": "2026-04-15T17:29:04.306Z",
        "dateReserved": "2026-04-14T17:31:37.803Z",
        "dateUpdated": "2026-04-16T03:55:38.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5329 (GCVE-0-2026-5329)

    Vulnerability from cvelistv5 – Published: 2026-04-09 17:52 – Updated: 2026-04-16 17:55
    VLAI
    Title
    Rapid7 Velociraptor Improper Input Validation in Client Message Handler
    Summary
    Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , ≤ 0.76.3 (semver)
    Affected: 0 , ≤ 0.75.6 (semver)
    Affected: 0 , ≤ 0.74.6 (semver)
    Create a notification for this product.
    Credits
    We thank Chris Au (@netero_1010) from NyxLab for identifying and reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5329",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T03:56:08.816Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThanOrEqual": "0.76.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "0.75.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "0.74.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "We thank Chris Au (@netero_1010) from NyxLab for identifying and reporting this issue."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor versions prior to 0.76.2\u0026nbsp;contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker  to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages\u0026nbsp;does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability."
                }
              ],
              "value": "Rapid7 Velociraptor versions prior to 0.76.2\u00a0contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker  to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages\u00a0does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-240",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-240 Resource Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-16T17:55:09.212Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Rapid7 Velociraptor Improper Input Validation in Client Message Handler",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2026-5329",
        "datePublished": "2026-04-09T17:52:05.885Z",
        "dateReserved": "2026-04-01T13:33:23.515Z",
        "dateUpdated": "2026-04-16T17:55:09.212Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14728 (GCVE-0-2025-14728)

    Vulnerability from cvelistv5 – Published: 2025-12-29 19:04 – Updated: 2025-12-30 22:26
    VLAI
    Title
    Rapid7 Velociraptor Directory Traversal Vulnerability
    Summary
    Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E". Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.75.6 (semver)
    Create a notification for this product.
    Credits
    We thank @_chebuya for identifying and reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14728",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-30T21:54:55.659289Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-30T22:26:47.316Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.75.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThis vulnerability only occurs on Velociraptor server running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected.\u003c/p\u003e\n\n\n\n\n\u003cbr\u003e"
                }
              ],
              "value": "This vulnerability only occurs on Velociraptor server running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "We thank @_chebuya for identifying and reporting this issue."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eRapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a \".\", only encoding the final \".\" AS \"%2E\".\u003c/p\u003e\n\u003cp\u003eAlthough files can be written to incorrect locations, the containing directory must end with \"%2E\". This limits the impact of this vulnerability, and prevents it from overwriting critical files.\u003c/p\u003e"
                }
              ],
              "value": "Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a \".\", only encoding the final \".\" AS \"%2E\".\n\n\nAlthough files can be written to incorrect locations, the containing directory must end with \"%2E\". This limits the impact of this vulnerability, and prevents it from overwriting critical files."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-23",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-23 File Content Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-29T19:04:27.820Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Rapid7 Velociraptor Directory Traversal Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2025-14728",
        "datePublished": "2025-12-29T19:04:27.820Z",
        "dateReserved": "2025-12-15T16:45:47.021Z",
        "dateUpdated": "2025-12-30T22:26:47.316Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-6264 (GCVE-0-2025-6264)

    Vulnerability from cvelistv5 – Published: 2025-06-20 02:01 – Updated: 2025-11-28 19:10
    VLAI KEVIntel
    Title
    Velociraptor priviledge escalation via UpdateConfig artifact
    Summary
    Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.  To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.74.3 (semver)
    Create a notification for this product.
    Date Public
    2025-06-19 00:44
    Credits
    We thank Christian Fünfhaus from Deutsche Bahn CSIRT for identifying and reporting this issue
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-6264",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-28T19:10:10.273114Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-28T19:10:18.293Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "url": "https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/"
              },
              {
                "url": "https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS",
                "Linux"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.74.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Users who rely on artifacts to prevent dangerous actions from already privileged users."
                }
              ],
              "value": "Users who rely on artifacts to prevent dangerous actions from already privileged users."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "We thank Christian F\u00fcnfhaus  from Deutsche Bahn CSIRT for identifying and reporting this issue"
            }
          ],
          "datePublic": "2025-06-19T00:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.\u0026nbsp; To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.\u003cbr\u003e\u003cbr\u003eThe Admin.Client.UpdateClientConfig is an artifact used to update the client\u0027s configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the \"Investigator\" role) to collect it from endpoints and update the configuration. \u003cbr\u003e\u003cbr\u003eThis can lead to arbitrary command execution and endpoint takeover.\u003cbr\u003e\u003cbr\u003eTo successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the \"Investigator\u0027 role).\u0026nbsp;"
                }
              ],
              "value": "Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.\u00a0 To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.\n\nThe Admin.Client.UpdateClientConfig is an artifact used to update the client\u0027s configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the \"Investigator\" role) to collect it from endpoints and update the configuration. \n\nThis can lead to arbitrary command execution and endpoint takeover.\n\nTo successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the \"Investigator\u0027 role)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-23",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-23 File Content Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276 Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-22T23:23:30.800Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-6264/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Velociraptor priviledge escalation via UpdateConfig artifact",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "To better restrict the types of artifacts users can run, the `basic artifacts` mechanism should be used as described\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts\"\u003ehttps://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts\u003c/a\u003e\u003cbr\u003e\u003cbr\u003eTo detect unintended privilege escalations in custom artifacts, users should run the artifact verifier as described here\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts\"\u003ehttps://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts\u003c/a\u003e"
                }
              ],
              "value": "To better restrict the types of artifacts users can run, the `basic artifacts` mechanism should be used as described\u00a0 https://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts \n\nTo detect unintended privilege escalations in custom artifacts, users should run the artifact verifier as described here\u00a0 https://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2025-6264",
        "datePublished": "2025-06-20T02:01:33.993Z",
        "dateReserved": "2025-06-19T00:22:46.272Z",
        "dateUpdated": "2025-11-28T19:10:18.293Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0914 (GCVE-0-2025-0914)

    Vulnerability from cvelistv5 – Published: 2025-02-27 16:07 – Updated: 2025-02-27 16:19
    VLAI
    Title
    Velociraptor Shell Plugin Prevent_execve Bypass
    Summary
    An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-281 - Improper Preservation of Permissions
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.73.4 (semver)
    Create a notification for this product.
    Credits
    Darragh O'Reilly, SUSE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0914",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-27T16:19:47.398915Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-27T16:19:54.044Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.73.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Darragh O\u0027Reilly, SUSE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper access control issue in the VQL shell feature in Velociraptor Versions \u0026lt; 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.\u003cbr\u003e"
                }
              ],
              "value": "An improper access control issue in the VQL shell feature in Velociraptor Versions \u003c 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-176",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-176 Configuration/Environment Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-281",
                  "description": "CWE-281 Improper Preservation of Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-27T16:07:49.577Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-0914/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Velociraptor Shell Plugin Prevent_execve Bypass",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2025-0914",
        "datePublished": "2025-02-27T16:07:49.577Z",
        "dateReserved": "2025-01-30T22:39:47.257Z",
        "dateUpdated": "2025-02-27T16:19:54.044Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10526 (GCVE-0-2024-10526)

    Vulnerability from cvelistv5 – Published: 2024-11-07 10:18 – Updated: 2024-11-07 18:31
    VLAI
    Title
    Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service
    Summary
    Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.  This issue is fixed in version 0.73.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-552 - Files or Directories Accessible to External Parties
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: <0.73.2 (custom)
    Create a notification for this product.
    rapid7 velociraptor Affected: 0 , < 0.73.2 (custom)
        cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-11-05 12:00
    Credits
    Jean-Baptiste Mesnard-Sense from Synackti
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "velociraptor",
                "vendor": "rapid7",
                "versions": [
                  {
                    "lessThan": "0.73.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10526",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-07T18:29:55.331358Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-07T18:31:26.561Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c0.73.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jean-Baptiste Mesnard-Sense from Synackti"
            }
          ],
          "datePublic": "2024-11-05T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor\u0027s files. By modifying Velociraptor\u0027s files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.\u0026nbsp; This issue is fixed in version 0.73.3."
                }
              ],
              "value": "Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor\u0027s files. By modifying Velociraptor\u0027s files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.\u00a0 This issue is fixed in version 0.73.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "USER",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "DIFFUSE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:D/RE:L/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-552",
                  "description": "CWE-552 Files or Directories Accessible to External Parties",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-07T10:29:26.459Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://docs.velociraptor.app/announcements/2024-cves/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2024-10526",
        "datePublished": "2024-11-07T10:18:05.530Z",
        "dateReserved": "2024-10-30T10:22:28.725Z",
        "dateUpdated": "2024-11-07T18:31:26.561Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-5950 (GCVE-0-2023-5950)

    Vulnerability from cvelistv5 – Published: 2023-11-06 14:30 – Updated: 2024-09-05 13:42
    VLAI
    Title
    Rapid7 Velociraptor Reflected XSS
    Summary
    Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.7.0-4 (custom)
    Create a notification for this product.
    Credits
    Mathias Kujala
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:14:25.134Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.7.0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-5950",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-05T13:41:29.922872Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-05T13:42:38.581Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Velociraptor",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.7.0-4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Mathias Kujala"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user\u0027s web browser.\u0026nbsp;This vulnerability is fixed in\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;version 0.7.0-04 and a\u003c/span\u003e\u0026nbsp;patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user\u0027s web browser.\u00a0This vulnerability is fixed in\u00a0version 0.7.0-04 and a\u00a0patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-06T14:30:28.972Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.7.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Rapid7 Velociraptor Reflected XSS ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2023-5950",
        "datePublished": "2023-11-06T14:30:28.972Z",
        "dateReserved": "2023-11-03T10:13:59.198Z",
        "dateUpdated": "2024-09-05T13:42:38.581Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2226 (GCVE-0-2023-2226)

    Vulnerability from cvelistv5 – Published: 2023-04-21 11:48 – Updated: 2025-02-04 20:33
    VLAI
    Title
    Velociraptor crashes while parsing some malformed PE or OLE files.
    Summary
    Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.  For this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.6.8 (semver)
    Create a notification for this product.
    Date Public
    2023-04-21 11:45
    Credits
    Thanks to b1tg https://github.com/b1tg for reporting these issues and providing samples that trigger the crashes
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:12:20.691Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Velocidex/velociraptor"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T20:33:39.813217Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-04T20:33:45.232Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/Velocidex/velociraptor/releases",
              "defaultStatus": "unaffected",
              "modules": [
                "PE Parser",
                "OLE parser",
                "Authenticode parser"
              ],
              "packageName": "Velociraptor",
              "platforms": [
                "Windows"
              ],
              "product": "Velociraptor",
              "repo": "https://github.com/Velocidex/velociraptor/",
              "vendor": "Rapid7",
              "versions": [
                {
                  "lessThan": "0.6.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thanks to b1tg https://github.com/b1tg for reporting these issues and providing samples that trigger the crashes"
            }
          ],
          "datePublic": "2023-04-21T11:45:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Due to insufficient validation in the PE and OLE parsers in Rapid7\u0027s Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eFor this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Due to insufficient validation in the PE and OLE parsers in Rapid7\u0027s Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.\u00a0\n\nFor this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-540",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-540 Overread Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-21T11:48:46.279Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://github.com/Velocidex/velociraptor"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade the clients to version 0.6.8-2"
                }
              ],
              "value": "Upgrade the clients to version 0.6.8-2"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Velociraptor crashes while parsing some malformed PE or OLE files.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2023-2226",
        "datePublished": "2023-04-21T11:48:46.279Z",
        "dateReserved": "2023-04-21T11:40:07.131Z",
        "dateUpdated": "2025-02-04T20:33:45.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0290 (GCVE-0-2023-0290)

    Vulnerability from cvelistv5 – Published: 2023-01-18 21:10 – Updated: 2025-04-03 19:52
    VLAI
    Title
    Rapid7 Velociraptor directory traversal in client ID parameter
    Summary
    Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client. Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to "administrator" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the "investigator" role. To exploit this vulnerability, the attacker must already have a Velociraptor user account at least "investigator" level, and be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI. This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.6.7-5 (semver)
    Create a notification for this product.
    Date Public
    2023-01-17 14:00
    Credits
    Paul Alkemade from Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:02:44.149Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/Velocidex/velociraptor"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0290",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-02T15:57:02.778328Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T19:52:44.579Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/Velocidex/velociraptor/releases",
              "defaultStatus": "unaffected",
              "modules": [
                "CreateCollection API"
              ],
              "packageName": "Velociraptor",
              "platforms": [
                "Windows",
                "Linux",
                "MacOS",
                "64 bit",
                "32 bit"
              ],
              "product": "Velociraptor",
              "programFiles": [
                "https://github.com/Velocidex/velociraptor/blob/master/services/launcher/launcher.go"
              ],
              "programRoutines": [
                {
                  "name": "ScheduleArtifactCollection()"
                }
              ],
              "repo": "https://github.com/Velocidex/velociraptor/",
              "vendor": "Rapid7",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "0.6.7-5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"\u003cbr\u003e"
                }
              ],
              "value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"\n"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Paul Alkemade from Telstra"
            }
          ],
          "datePublic": "2023-01-17T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\u003cbr\u003e\u003cbr\u003eNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\u003cbr\u003e\u003cp\u003eTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u0026nbsp;be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\u003c/p\u003e\u003cp\u003eThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\n\nNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u00a0be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-18T21:10:42.929Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "url": "https://github.com/Velocidex/velociraptor"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to 0.6.7-5\u003cbr\u003e"
                }
              ],
              "value": "Upgrade to 0.6.7-5\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2023-01-13T05:23:00.000Z",
              "value": "Notification of the issue"
            },
            {
              "lang": "en",
              "time": "2023-01-17T02:00:00.000Z",
              "value": "Release 0.6.7-5 made available on Github"
            }
          ],
          "title": "Rapid7 Velociraptor directory traversal in client ID parameter ",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2023-0290",
        "datePublished": "2023-01-18T21:10:42.929Z",
        "dateReserved": "2023-01-13T15:10:30.966Z",
        "dateUpdated": "2025-04-03T19:52:44.579Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0242 (GCVE-0-2023-0242)

    Vulnerability from cvelistv5 – Published: 2023-01-18 20:57 – Updated: 2025-04-03 19:51
    VLAI
    Title
    Insufficient permission check in the VQL copy() function
    Summary
    Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server. The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor "investigator" role) to overwrite files on the server, including Velociraptor configuration files. To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least "analyst") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI). This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy(). This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    Rapid7 Velociraptor Affected: 0 , < 0.6.7-5 (semver)
    Create a notification for this product.
    Date Public
    2023-01-18 02:00
    Credits
    Paul Alkemade from Telstra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:02:44.109Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "release-notes",
                  "x_transferred"
                ],
                "url": "https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0242",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-02T15:58:54.468796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-03T19:51:46.758Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/Velocidex/velociraptor/releases",
              "defaultStatus": "unaffected",
              "modules": [
                "VQL copy() function"
              ],
              "packageName": "Velociraptor",
              "platforms": [
                "Linux",
                "Windows",
                "MacOS",
                "64 bit",
                "32 bit"
              ],
              "product": "Velociraptor",
              "programFiles": [
                "https://github.com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go"
              ],
              "programRoutines": [
                {
                  "name": "copy()"
                }
              ],
              "repo": "https://github.com/Velocidex/velociraptor/",
              "vendor": "Rapid7",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "0.6.7-5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Velociraptor deployment with multiple users at lower roles than administrators, such as \"investigator\" and above."
                }
              ],
              "value": "Velociraptor deployment with multiple users at lower roles than administrators, such as \"investigator\" and above."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "analyst",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Paul Alkemade from Telstra"
            }
          ],
          "datePublic": "2023-01-18T02:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.\u003cbr\u003e\u003cbr\u003eThe VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor \"investigator\" role) to overwrite files on the server, including Velociraptor configuration files.\u003cbr\u003e\u003cbr\u003eTo exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least \"analyst\") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).\u003cbr\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go\"\u003ehttps://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go\u003c/a\u003e\u003c/tt\u003e and program routines \u003ctt\u003ecopy()\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.\n\nThe VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor \"investigator\" role) to overwrite files on the server, including Velociraptor configuration files.\n\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least \"analyst\") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).\nThis vulnerability is associated with program files  https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go  and program routines copy().\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-75",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-75 Manipulating Writeable Configuration Files"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-18T20:57:30.570Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to 0.6.7-5"
                }
              ],
              "value": "Upgrade to 0.6.7-5"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2023-01-12T07:00:00.000Z",
              "value": "Notification of the issue"
            },
            {
              "lang": "en",
              "time": "2023-01-17T02:00:00.000Z",
              "value": "Release 0.6.7-5 made available on Github"
            }
          ],
          "title": "Insufficient permission check in the VQL copy() function",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A valid workaround is to prevent the copy function in the Velociraptor allow list:\u003cbr\u003e\u003cbr\u003e1. In the configuration wizard answer yes to the question \"Do you want to restrict VQL functionality on the server?\"\u003cbr\u003e2. This will add a default allow list to the configuration file.\u003cbr\u003e3. Copy this allow list to your existing server.config.yaml\u003cbr\u003e4. Ensure the \"copy\" function is removed from the default allow list."
                }
              ],
              "value": "A valid workaround is to prevent the copy function in the Velociraptor allow list:\n\n1. In the configuration wizard answer yes to the question \"Do you want to restrict VQL functionality on the server?\"\n2. This will add a default allow list to the configuration file.\n3. Copy this allow list to your existing server.config.yaml\n4. Ensure the \"copy\" function is removed from the default allow list."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2023-0242",
        "datePublished": "2023-01-18T20:57:30.570Z",
        "dateReserved": "2023-01-12T13:35:35.391Z",
        "dateUpdated": "2025-04-03T19:51:46.758Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }