-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in a missing permission check on the Admin.Client.UpdateClientConfig artifact in Velociraptor. This artifact has powerful capabilities to modify an endpoint's configuration, which can be leveraged for arbitrary code execution. The vulnerability allowed users with the COLLECT_CLIENT permission, typically assigned to the 'Investigator' role, to trigger this artifact without needing higher-level permissions like EXECVE.
The provided patch remediates this by introducing a required_permissions check for EXECVE and FILESYSTEM_WRITE into the artifact's definition file (Admin/Client/UpdateClientConfig.yaml). This ensures that only highly privileged users can execute this sensitive action.
The analysis of the commit shows that while many artifact files were updated to include implied_permissions as part of a broader security hardening, the core of this specific vulnerability was the lack of any permission enforcement on the Admin.Client.UpdateClientConfig artifact. Therefore, any runtime profile during exploitation would show the execution of this artifact, which was previously allowed for lower-privileged users.
GoGo| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| www.velocidex.com/golang/velociraptor | go | < 0.74.3 | 0.74.3 |
Ongoing coverage of React2Shell