CVE-2025-14728

MEDIUM

6.8

Descripcion

Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E". Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.

Detalles CVE

Puntuacion CVSS v3.16.8

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Vector de ataqueNETWORK

ComplejidadHIGH

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado12/29/2025

Ultima modificacion2/20/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

linux:linux_kernelrapid7:velociraptor

Debilidades (CWE)

CWE-22

Referencias

https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/(cve@rapid7.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.