The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert on October 14, 2025, highlighting a critical vulnerability in Rapid7’s Velociraptor endpoint detection and response (EDR) tool.
This flaw, stemming from incorrect default permissions, has already been weaponized by threat actors to execute arbitrary commands and seize control of infected endpoints, amplifying risks for organizations relying on the open-source security platform.
Velociraptor, popular among security teams for its forensic capabilities and artifact collection, suffers from a misconfiguration that allows authenticated users with artifact collection privileges to escalate their access.
According to CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploitation requires initial access to the endpoint but can lead to full takeover once inside.
The vulnerability ties to CVE-2025-6264, which addresses improper handling of permissions, making it a classic case of default settings gone awry.
Rapid7 acknowledged the issue in a recent advisory, urging users to update to version 0.7.1 or later, where stricter permission controls have been implemented.
What makes this vulnerability particularly alarming is its confirmed use in ransomware campaigns. Threat groups, including those linked to LockBit and Conti variants, have exploited it to pivot from initial footholds into devastating network-wide infections.
Security researchers at Mandiant reported instances where attackers used Velociraptor’s own artifact-gathering features against defenders, injecting malicious payloads that evaded traditional detection.
In one documented case from late September 2025, a mid-sized financial firm lost endpoint visibility entirely after ransomware operators commandeered the tool, leading to data exfiltration and encryption across 500 devices.
This incident underscores a troubling trend: adversaries increasingly target security software itself. By compromising EDR platforms like Velociraptor, attackers not only neutralize defenses but also gain reconnaissance advantages.
CISA emphasized that unpatched systems face heightened risks, especially in sectors like healthcare and critical infrastructure, where endpoint monitoring is vital.
Mitigations
CISA recommends applying Rapid7’s patches immediately, enforcing least-privilege access for artifact collection, and adhering to Binding Operational Directive (BOD) 22-01 for cloud-based services.
If mitigations prove infeasible, discontinuing use of the affected product is advised. The agency set a due date of November 4, 2025, for federal agencies to address the vulnerability, signaling its severity.
Experts warn that this exploit highlights the double-edged sword of open-source tools: powerful yet prone to configuration pitfalls.
As ransomware evolves, blending social engineering with technical exploits, defenders must prioritize rigorous permission audits.
Rapid7 has maintained its documentation with step-by-step hardening guides, but proactive monitoring remains key. With attacks surging 30% year-over-year per recent reports, this CISA warning serves as a call to fortify the very tools meant to protect us.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
