## https://sploitus.com/exploit?id=2449623A-3886-567A-A191-35D8AA495E8F
## CVE-2025-6264
**DISCLAIMER:** This is an educational research project. I did not discover this vulnerability. This repository demonstrates CVE-2025-6264 for learning purposes
- Affected versions before 0.74.3
- Affects Windows, MacOS and Linux
The `Admin.Client.UpdateClientConfig` artifact is missing permission checks. Users with the Investigator role (who have `COLLECT_CLIENT` permission) can use it to update client configs when they shouldn't be able to. This lets you redirect clients to your own malicious Velociraptor server and take over endpoints.
Full writeup on my blog: https://blog.mauzy.net/technology/rapid7-velociraptor-exploit-poc/
## Proof of Concept helper script
This script is meant to aid in the exploitation of this CVE. It does so by doing the following:
- Install a defined version of velociraptor
- Configure the local velociraptor server
- Add an Administrator account with the credentials 'admin':'admin'
- Output a client configuration with the CA cert, nonce and appropriate IP address
The output client configuration is in YAML format and is meant to be inserted into the vulnerable `Admin.Client.UpdateClientConfig` artifact using a lesser privileged user.
After running the script, the attacker's malicious server is listening for the clients to connect. Once the `UpdateClientConfig` is run, the clients will rekey and connect to the your server instead of the legitimate one.
**How to use:**
```bash
chmod +x 2025-6264_setup.sh
sudo ./2025-6264_setup.sh
```