Velociraptor privilege escalation flaw (CVE-2025-6264)
Vulnerability
Summary
Hide ▲
Show ▼
Velociraptor 0.73.4.0 was exposed to CVE-2025-6264, a privilege escalation flaw that could enable arbitrary command execution and endpoint takeover. The vulnerable build appeared after attackers gained initial access, making the weakness a post-compromise path to deeper control. The issue is significant because it turns a legitimate DFIR tool into an escalation point when the outdated version is present.
Related Happenings
Storm-2603 Velociraptor-abuse ransomware campaign
Campaign
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
How related:
"Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware," the researchers wrote.
About this happening:
The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
Storm-2603 Velociraptor-abuse ransomware campaign
CampaignHow related: "Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware," the researchers wrote.
About this happening: The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
Velociraptor DFIR abuse for ransomware persistence
Malware Activity
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
How related:
In addition to the ransomware trio, Cisco Talos found Storm-2603 actors had also deployed Velociraptor to aid their attack.
About this happening:
The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Velociraptor DFIR abuse for ransomware persistence
Malware ActivityHow related: In addition to the ransomware trio, Cisco Talos found Storm-2603 actors had also deployed Velociraptor to aid their attack.
About this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Timeline
-
10.10.2025 18:53 2 articles · 7mo ago
Velociraptor 0.73.4.0 exposed to CVE-2025-6264 in Storm-2603 campaign
Technical Analysis UpdateCisco Talos and Rapid7 described malicious use of Velociraptor version 0.73.4.0 by Storm-2603 in a ransomware campaign, noting that the outdated build was exposed to CVE-2025-6264 and could enable arbitrary command execution and endpoint takeover. The guidance said defenders should verify whether Velociraptor instances are legitimate, inspect endpoint logs for newly created services or scheduled tasks tied to velociraptor.exe, and flag unknown binaries that are unsigned or signed by another entity.
Show sources
- Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks — www.darkreading.com — 10.10.2025 18:53
- Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks — www.darkreading.com — 10.10.2025 18:53