CVE-2025-0914: Velociraptor Shell Plugin Prevent_execve Bypass

3.8 CVSS

Description

An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.

Classification

CVE ID: CVE-2025-0914

CVSS Base Severity: LOW

CVSS Base Score: 3.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Problem Types

CWE-281 Improper Preservation of Permissions

Affected Products

Vendor: Rapid7

Product: Velociraptor

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 5.47% (scored less or equal to compared to others)

EPSS Date: 2025-03-28 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0914
https://docs.velociraptor.app/announcements/advisories/cve-2025-0914/

Timeline

2025-02-27 17:40:10 UTC
CVE

Velociraptor Shell Plugin Prevent_execve Bypass