// For flags

CVE-2024-10526

Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service

Severity Score

8.6
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely. This issue is fixed in version 0.73.3.

Las versiones del instalador MSI de Rapid7 Velociraptor anteriores a la 0.73.3 sufren una vulnerabilidad que crea el directorio de instalación con el permiso WRITE_DACL para el grupo BUILTIN\\Users. Esto permite que los usuarios locales que no son administradores se otorguen el permiso de Control total sobre los archivos de Velociraptor. Al modificar los archivos de Velociraptor, los usuarios locales pueden subvertir el binario y hacer que el servicio Velociraptor ejecute código arbitrario como el usuario SYSTEM o que reemplace el binario de Velociraptor por completo. Este problema se solucionó en la versión 0.73.3.

*Credits: Jean-Baptiste Mesnard-Sense from Synackti
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
Active
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
High
High
Availability
High
High
Attack Vector
Local
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
Active
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
High
High
Availability
High
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-10-30 CVE Reserved
  • 2024-11-07 CVE Published
  • 2024-11-07 CVE Updated
  • 2025-04-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-552: Files or Directories Accessible to External Parties
  • CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Rapid7
Search vendor "Rapid7"
 Velociraptor
Search vendor "Rapid7" for product "Velociraptor"
*-
Affected