CVE-2025-14728
📋 TL;DR
CVE-2025-14728 is a directory traversal vulnerability in Rapid7 Velociraptor on Linux servers that allows rogue clients to write files outside the designated datastore directory. The vulnerability affects Velociraptor versions before 0.75.6 and requires client access to exploit. Attackers can write files to unintended locations, though the impact is limited by the requirement that directory names end with "%2E".
💻 Affected Systems
- Rapid7 Velociraptor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with client access could write malicious files to sensitive system locations, potentially leading to privilege escalation, data corruption, or persistence mechanisms.
Likely Case
Limited file writes to non-critical directories due to the "%2E" requirement, potentially allowing data exfiltration or creation of backdoor files in accessible locations.
If Mitigated
Minimal impact with proper network segmentation and client authentication controls, as the vulnerability requires authenticated client access.
🎯 Exploit Status
Exploitation requires client access and knowledge of the specific directory traversal technique using "%2E" encoding.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.75.6
Vendor Advisory: https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/
Restart Required: Yes
Instructions:
1. Download Velociraptor version 0.75.6 or later from the official repository. 2. Stop the Velociraptor service. 3. Replace the existing binary with the patched version. 4. Restart the Velociraptor service. 5. Verify the version is 0.75.6 or higher.
🔧 Temporary Workarounds
Restrict Client Access
allLimit which clients can connect to the Velociraptor server using network controls and authentication.
File System Restrictions
linuxUse filesystem permissions to restrict write access outside the datastore directory.
chmod 750 /path/to/velociraptor/datastore
chown velociraptor:velociraptor /path/to/velociraptor/datastore
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Velociraptor servers from untrusted networks.
- Enforce strong authentication and authorization controls for all Velociraptor clients.
🔍 How to Verify
Check if Vulnerable:
Check the Velociraptor version. If it's below 0.75.6 and running on Linux, the system is vulnerable.Check Version:
velociraptor --versionVerify Fix Applied:
Verify the Velociraptor version is 0.75.6 or higher and test file upload functionality with directory traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations outside the datastore directory
- Client requests containing "%2E" in directory paths
- Failed file write attempts with directory traversal patterns
Network Indicators:
- Client connections attempting file uploads with encoded directory paths
SIEM Query:
source="velociraptor" AND (event="file_write" AND path NOT CONTAINS "/datastore/") OR (path CONTAINS "%2E")