Rapid7 Velociraptor versions earlier than 0.76.2 on Linux servers contain an improper validation error in the client monitoring message handler. A client that is authenticated to the Velociraptor server can send a monitoring message with a malicious queue name. The server does not enforce a proper whitelist or length check, allowing the rogue client to inject a crafted request that writes arbitrary messages to privileged internal queues. The attacker can then potentially execute arbitrary code on the Velociraptor server. The vulnerability falls under CWE‑20, reflecting an insecure input validation weakness.

The affected products are Rapid7 Velociraptor installations running on Linux. All instances using a version prior to 0.76.2 are vulnerable. Rapid7 Hosted Velociraptor services are not impacted. The vulnerability only applies to server configurations that allow authenticated client monitoring connections.

The CVSS score of 8.5 indicates high severity. The EPSS score of 0.00088, corresponding to an exploitation probability of 0.088%, indicates a very low but non‑zero likelihood of exploitation, and the vulnerability is not yet listed in CISA’s KEV catalog. The attack requires authenticated access to the client monitoring interface, meaning that only users or automated processes with legitimate credentials can exploit the flaw. Once the attacker can write to privileged queues, they may achieve remote code execution, compromising confidentiality, integrity, and availability of the Velociraptor server. As the flaw is exploitable via network traffic, the range of impact can extend to all services that rely on the compromised server.