CVE-2025-0914: 
Velociraptor vulnerability analysis and mitigation

CVE-2025-0914 affects the VQL shell feature in Velociraptor versions prior to 0.73.4. The vulnerability was discovered in February 2025 and relates to an improper access control issue that allows authenticated users to bypass the prevent_execve configuration flag, enabling execution of the execve() plugin in deployments where it was explicitly forbidden (Velociraptor Docs).

The vulnerability is classified with a CVSS v3.1 score of 3.8 (Low severity), with the following characteristics: Network attack vector, Low attack complexity, High privileges required, No user interaction needed, Unchanged scope, and Low impact on confidentiality and integrity with no impact on availability. The issue is categorized as CWE-281 (Improper Preservation of Permissions) and involves CAPEC-176 (Configuration/Environment Manipulation) (Velociraptor Docs).

The vulnerability allows authenticated users to execute the execve() plugin through the query() plugin on systems where the prevent_execve configuration parameter is set. This bypass only affects deployments that explicitly enable the prevent_execve flag, which is described as an uncommonly used configuration (Velociraptor Docs).

The vulnerability has been fixed in Velociraptor version 0.73.4. Users running affected versions should upgrade their endpoint agents to this release to mitigate the issue (Velociraptor Docs).