Oct 28 Update: Following discussions between Rapid7 Labs and CISA, and after reviewing the available evidence and context around the attacks, CISA has removed CVE-2025-6264 (Velociraptor) from the Known Exploited Vulnerabilities (KEV) catalog. This decision reflects the clarification that the vulnerability itself was not exploited in the observed incidents. We appreciate CISA’s collaboration and willingness to revisit the listing in light of additional context from Rapid7 Labs’ analysis.
Oct 16 Update: Additions have been made in the "What happened" and "Hosted customers" sections of this blog to further clarify CVE-2025-6264.
Oct 15 Update: CISA recently added CVE-2025-6264, affecting Velociraptor, to the KEV list. To clarify: in the activity referenced, attackers did not exploit this vulnerability. They had already gained access and later deployed an older Velociraptor version to maintain persistence within the environment. In other words, the tool was misused after compromise, not exploited to gain it. We believe it’s important to keep this distinction clear when discussing real-world abuse versus vulnerability exploitation.
Overview
Open-source technologies and communities are a big part of the Rapid7 ethos, and that’s not by chance – it’s by design. We believe that our Metasploit, AttackerKB, and Velociraptor initiatives help create a strong threat intelligence foundation as well as a secure digital future for all.
Unfortunately, the same open-source tools that help security teams prioritize risk and enhance security outcomes can be misused by threat actors for nefarious purposes. For example, we are aware that the digital forensics and incident response (DFIR) tool Velociraptor has been observed being leveraged by threat actors to execute a ransomware campaign. Rapid7 has implemented detections for this and other Velociraptor-related misuse, and is not impacted by this incident.
What happened
Velociraptor is an open-source technology and community that enables incident response teams to deliver forensic detail following a security incident. As an open-source community for DFIR professionals, any identified vulnerabilities are quickly prioritized, addressed, and reported.
The observed ransomware campaign makes use of Velociraptor to maintain persistence in the network of the victims. The Velociraptor version the threat actors used, version 0.73.4.0, was exposed to a privilege escalation vulnerability (CVE-2025-6264) in the artifact that does remote upgrade. Exploitation of open-source users first requires the attacker to possess authenticated Investigator role privileges, making it a low-severity vulnerability due to a low probability of this occurring. Rapid7 patched this vulnerability on June 18, 2025.
In another recently observed incident, a threat actor downloaded the Velociraptor binary and, in its configuration file, specified the command-and-control (C2) server. After Velociraptor was executed on the compromised asset, it established communication back to the attacker's C2 server. Once the communication was established, the threat actor used Velociraptor to perform further actions, such as downloading additional files or executing commands on the compromised asset. While this is not a vulnerability in the tool itself, it can be used for malicious purposes.
This behavior reflects a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities. In practice, they configure their own Velociraptor servers, push client binaries into compromised environments, and use artifacts such as Generic.System.Pslist or Windows.EventLogs.Evtx to conduct reconnaissance and data exfiltration — the same way DFIR teams gather evidence.
What you should do now
Rapid7 recommends verifying the legitimacy of any Velociraptor deployments in your environment. Ensure that servers and agents are under your administrative control, monitor for unsigned binaries, and alert on unexpected network connections to Velociraptor service ports. Review endpoint logging for newly created services or scheduled tasks referencing “velociraptor.exe”.
Restrict execution of unknown Velociraptor binaries.
Review endpoint telemetry for new outbound connections to uncommon ports used by Velociraptor (:8000, :8001, or :8889).
Rotate API and authentication keys if any server compromise is suspected.
How Rapid7 is supporting customers
Rapid7 has detections in place including triaging to monitor for the potential abuse of Velociraptor in customer environments.
The Rapid7 Labs team has released a Sigma rule to identify the execution of Velociraptor binaries from non-standard directories and monitor unusual command-line arguments. The Sigma and a Yara rule can be found in the article referenced below.
Hosted customers
As mentioned above, CVE-2025-6264 is a patched, low-severity vulnerability in the artifact that does remote upgrade. However, this remote upgrade artifact does not operate in the hosted Velociraptor version, since the endpoint is fully managed. In other words, because there is no remote upgrade via this mechanism, hosted Velociraptor customers are not impacted.
Learn more
To learn more about detecting Velociraptor misuse in your environment, visit https://docs.velociraptor.app/knowledge_base/tips/velocirator_misuse/.
