The Cybersecurity and Infrastructure Security Agency has added a critical vulnerability in Rapid7 Velociraptor to its Known Exploited Vulnerabilities catalogue, warning that threat actors are actively exploiting the flaw in ransomware attacks.
The vulnerability, tracked as CVE-2025-6264, was added to the catalogue on October 14, 2025, giving federal agencies until November 4 to implement necessary security measures.
Vulnerability Details and Security Impact
The security flaw affects Rapid7 Velociraptor, a digital forensics and incident response tool widely used by security teams for endpoint monitoring and threat hunting.
The vulnerability stems from incorrect default permissions that allow attackers to execute arbitrary commands and take complete control of compromised endpoints.
| Field | Details |
| CVE ID | CVE-2025-6264 |
| Product | Rapid7 Velociraptor |
| Vulnerability Type | Incorrect Default Permissions |
While exploitation requires the attacker to already have access to collect artifacts from the target endpoint, this initial access threshold has proven insufficient to prevent active exploitation in real-world attacks.
The vulnerability is classified under CWE-276, which relates to incorrect default permissions that weaken system security.
Once exploited, attackers can leverage their elevated access to deploy ransomware payloads, exfiltrate sensitive data, or establish persistent backdoors within compromised networks.
Security researchers warn that the flaw’s presence in a security tool makes it particularly attractive to ransomware operators seeking to evade detection while maintaining control over victim systems.
CISA’s designation of this vulnerability as being used in ransomware campaigns indicates that multiple threat groups have incorporated the exploit into their attack chains.
Ransomware actors typically target vulnerabilities in security and monitoring tools because compromising these systems allows them to disable defenses, manipulate logs, and operate undetected for extended periods.
The exploitation of Velociraptor represents a concerning trend where attackers weaponize the very tools organizations rely on for protection.
Federal agencies and private sector organizations using Rapid7 Velociraptor must take immediate action to address this vulnerability.
CISA directs affected organizations to apply security mitigations according to vendor instructions or follow Binding Operational Directive 22-01 guidance for cloud-based deployments.
Organizations unable to implement available mitigations should discontinue using the product until proper security measures can be deployed.
Security teams should also conduct thorough reviews of their Velociraptor deployments to identify any indicators of compromise that might suggest prior exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
