Rapid7 Velociraptor < 0.74.3 Privilege Escalation

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(279071);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/23");

  script_cve_id("CVE-2025-6264");

  script_name(english:"Rapid7 Velociraptor < 0.74.3 Privilege Escalation");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Rapid7 Velociraptor installed on the remote host is prior to 0.74.3. It is, therefore, affected by
privilege escalation vulnerability:

  - Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can 
    be used to do anything and usually run with elevated permissions.  To limit access to some dangerous 
    artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The 
    Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact 
    did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions 
    (normally given by the 'Investigator' role) to collect it from endpoints and update the configuration. 
    This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this 
    vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the 
    COLLECT_CLIENT given typically by the 'Investigator' role). (CVE-2025-6264)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://docs.velociraptor.app/announcements/advisories/cve-2025-6264/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4186c143");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Rapid7 Velociraptor version 0.74.3 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:M/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-6264");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/06/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/06/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:rapid7:velociraptor");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("rapid7_velociraptor_win_installed.nbin", "rapid7_velociraptor_nix_installed.nbin", "rapid7_velociraptor_macos_installed.nbin");
  script_require_keys("installed_sw/Rapid7 Velociraptor");

  exit(0);
}


include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'Rapid7 Velociraptor', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints' : [
        {'fixed_version': '0.74.3'}
      ]
    }
  ]
};

var vdf_result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING);
vdf::handle_check_and_report_errors(vdf_result:vdf_result);