Exploit for CVE-2025-14847

Eric Capuano^1 posted an excellent blog regarding Mongo...

Rapid7 Velociraptor < 0.74.3 Privilege Escalation

The version of Rapid7 Velociraptor installed on the remote host is prior to 0.74.3. It is, therefore, affected by privilege escalation vulnerability: - Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run...

macos-collector - Automated Collection of macOS Forensic Artifacts for DFIR

macos-collector.sh is a Shell script utilized to collect macOS Forensic Artifacts from a compromised macOS endpoint using primarily Aftermath by Jamf Threat Labs...

VulnCheck KEV: CVE-2025-6264

Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch...

Rapid7 Velociraptor Incorrect Default Permissions Vulnerability

Rapid7 Velociraptor contains an incorrect default permissions vulnerability that can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions via the Admin.Client.UpdateClientConfig artifact. An attacker can gain elevated privileges and execute arbitrary commands by exploiting insufficient permission checks when collecting artifacts from endpoint...

PT-2025-26266

Name of the Vulnerable Software and Affected Versions Velociraptor affected versions not specified Description The issue concerns the Velociraptor's artifact collection feature, which allows users to collect and execute VQL queries packaged into artifacts from endpoints. These artifacts typically...

CVE-2023-2226

Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files. For this attack to succeed, the attacker needs to be able to introduce malicious files to the system a...

Whids - Open Source EDR For Windows

What EDR with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules. What do you mean by "artifact collection driven by detection" ? It means that an alert can directly trigger...

Cross-site Scripting (XSS)

github.com/velocidex/velociraptor is vulnerable to cross-site scripting. The vulnerability exists in multiple functions in artifacts/syntax.js because the variables are not properly escaped in artifact collection report which allows an attacker to inject and execute malicious javascript...

CVE-2022-35630 Unsafe HTML Injection in Artifact Collection Report

A cross-site scripting XSS issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2...

Fennec - Artifact Collection Tool For *Nix Systems

fennec is an artifact collection tool written in Rust to be used during incident response on nix based systems. fennec allows you to write a configuration file that contains how to collect artifacts. Features A single statically compiled binary Execute any osquery SQL query Execute system command...

Technical Approaches to Uncovering and Remediating Malicious Activity

Summary This joint advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia,1 Canada,2 New Zealand,34 the United Kingdom,5 and the United States.6 It highlights technical approaches to uncovering malicious activity and includes mitigati...

Researcher Releases Database of Known-Good ICS and SCADA Files

A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones. The database, known as WhiteScope,...