CVE-2026-5329 · Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on

01 · The Real Story

This is a master key hidden behind an employee badge, not a crowbar through the front door

CVE-2026-5329 is a server-side input-validation bug in Rapid7 Velociraptor's client monitoring message handler. On vulnerable self-hosted Linux servers, a *rogue client* can send a crafted monitoring message with a malicious queue name and write into privileged internal server queues, which the vendor says may lead to remote code execution. The vendor advisory originally described versions prior to 0.76.2, but both the vendor advisory note and NVD change history show the practical fixed lines are 0.75.7 and 0.76.3, because 0.76.2 had a patch shortcoming for master/minion deployments.

Vendor *impact* is fair, but vendor *urgency* is a little overstated for enterprise patch triage. This is not an unauthenticated internet wormhole; it requires the attacker to already control or impersonate a Velociraptor client, which is a major real-world friction point. That said, once that prerequisite is met, the blast radius is ugly because this is the management plane for endpoint telemetry and response, so I keep it in HIGH rather than dropping it to MEDIUM.

"High-impact server compromise, but only after the attacker already owns or impersonates a Velociraptor client."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get rogue-client position with a modified Velociraptor client

The attacker first needs a position that can speak to the Velociraptor frontend as a client, not just browse the GUI. In practice that means a compromised enrolled endpoint, a stolen client configuration, or another way to produce valid client traffic against the server's monitoring handler.

Conditions required:

Self-hosted Velociraptor server on Linux
Affected version line installed
Attacker can operate as a Velociraptor client or equivalent rogue client
Network reachability to the frontend/client port

Where this breaks in practice:

This is *post-initial-access* in most enterprises; the attacker usually already needs an endpoint foothold or stolen client material
Hosted Rapid7 Velociraptor instances are explicitly unaffected
Some deployments require client certificates or tightly scope frontend access

Detection/coverage: Commodity external scanners won't prove exploitability here. Detection is mostly architectural: inventory self-hosted Linux Velociraptor servers and review which networks can reach the frontend.

STEP 02

Send crafted monitoring traffic to the frontend handler

Using a modified Velociraptor client, custom protocol replayer, or purpose-built exploit code, the attacker sends a crafted monitoring message containing a malicious queue name to the server's client monitoring message handler. The weakness is insufficient validation of that queue name before the server routes the message internally.

Conditions required:

Attacker can establish client-to-server communications over the frontend path
Attacker understands enough of the protocol/message format to craft a valid monitoring message

Where this breaks in practice:

No public, widely circulated exploit repo surfaced in the reviewed sources
The vendor rated attack complexity as high, which matches the need for protocol-aware message crafting

Detection/coverage: Look for unusual client monitoring traffic or anomalous queue names in Velociraptor server logs if verbose auditing is enabled. Network IDS coverage is likely weak because this is application-protocol specific over TLS.

STEP 03

Write into privileged internal server queues

The crafted queue name lets the rogue client write arbitrary messages into internal queues that should not be client-controlled. That breaks a core trust boundary inside the server: untrusted client-originated data starts influencing privileged server-side workflows.

Conditions required:

Vulnerable server-side queue validation logic is present
Chosen queue is reachable through the flawed handler path

Where this breaks in practice:

Not every internal queue is equally useful for weaponization
The vendor's wording is '*may* lead to remote code execution,' which implies exploit reliability is not guaranteed from queue write alone

Detection/coverage: There is no standard network signature for 'arbitrary internal queue write.' Server-side application logs and process telemetry are the best bet.

STEP 04

Trigger privileged processing and pivot to server compromise

Once privileged internal queue messages are accepted, downstream server components may process attacker-controlled content and open the door to server-side code execution or equivalent high-trust actions. If the Velociraptor server is compromised, the attacker can tamper with a security management plane that sees many endpoints.

Conditions required:

A useful privileged queue is targeted
Downstream processing path turns queue control into code execution or comparable privileged impact

Where this breaks in practice:

The RCE outcome is not described as automatic or universal
EDR on the Linux server can still catch suspicious child processes or interpreter launches

Detection/coverage: EDR/process telemetry on the Velociraptor server is the strongest control here: alert on unexpected shells, interpreters, or child processes spawned by the Velociraptor service.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative exploitation evidence surfaced in the reviewed sources. I found no KEV listing and no vendor statement claiming active exploitation.
KEV status	Not listed in CISA KEV at review time, which matters because KEV is the strongest public signal that exploitation is happening at scale.
Public PoC availability	I found no mainstream public PoC/exploit repo in reviewed search results. That is a real friction point because this bug is protocol-specific and authenticated.
EPSS	User-supplied EPSS is 0.00101, which is very low. EPSS is not gospel, but it aligns with the lack of public exploitation evidence and the attacker-position requirement.
CVSS split	Rapid7/CNA scored it 8.5 HIGH (`AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H`), while NVD later added a lower 6.5 MEDIUM vector (`AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N`). That disagreement is a clue that impact depends heavily on assumptions about the post-queue-write chain.
Affected versions	NVD change history lists affected CPEs as `<=0.75.6` and `0.76.0` through `<0.76.3`. The vendor advisory describes versions before `0.76.2`, then adds a patch-shortcoming note for master/minion systems.
Fixed versions	Treat `0.75.7` and `0.76.3` as the operationally safe baselines. Do not anchor on `0.76.2` alone if you run master/minion.
Exposure reality	This is self-hosted Linux server exposure, not Rapid7-hosted. The vulnerable path is the client/frontend channel, typically on port `8000`, not just the admin GUI on `8889`.
Deployment defaults	Velociraptor docs show the frontend/client port is commonly reachable by endpoints, while the GUI is often bound more tightly or accessed through SSH tunneling. Optional mTLS can raise friction, but many environments rely on standard client config trust instead.
Disclosure and credit	Publicly disclosed on 2026-04-09. Credit goes to Chris Au from NyxLab; the advisory also credits @s4vvi for reporting the patch deficiency affecting master/minion.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (7.4/10)

The decisive factor is that exploitation requires rogue-client position, which usually means the attacker already has endpoint foothold or stolen client material. I kept this in HIGH because that single foothold can pivot into compromise of a high-trust security management server with outsized blast radius.

HIGH Affected-version and fixed-version assessment

MEDIUM Practical exploitability and likelihood of reliable RCE from queue control

Why this verdict

Downgrade for attacker position: vendor's PR:L hides the real meaning here — the attacker typically needs a compromised enrolled endpoint or stolen client config, so this is usually *post-initial-access* rather than true edge exploitation.
Downgrade for exposed population: only self-hosted Linux Velociraptor servers are in scope, and Rapid7 Hosted Velociraptor is explicitly unaffected. That sharply narrows the reachable enterprise population.
Not lower because blast radius is ugly: if a rogue client can turn queue injection into server compromise, the target is a security management plane with visibility and control over many endpoints.

Why not higher?

This is not unauthenticated remote exploitation against a broadly exposed web edge. The chain depends on prior attacker position as a client, protocol-aware crafting, and a downstream path from queue write to meaningful server compromise; those are all strong downward pressures. No KEV listing, low EPSS, and no reviewed public PoC also keep it out of CRITICAL.

Why not lower?

A compromise of the Velociraptor server is not a routine local-only nuisance; it is a control-plane event with potentially fleet-wide consequences. In large enterprises, assuming the attacker may already own *some* managed endpoint is realistic, so the rogue-client prerequisite is meaningful friction but not a fantasy blocker.

05 · Compensating Control

What to do — in priority order.

Constrain frontend reachability — Restrict the client/frontend listener to known endpoint ranges, VPN egress, or managed network paths instead of broad internet exposure. For a HIGH verdict, deploy this compensating control within 30 days if patching is not already complete.
Require client certificates — Enable Velociraptor Frontend.require_client_certificates to force mTLS on the frontend and raise the bar for arbitrary internet-originating traffic. This does not stop a truly compromised enrolled client, but it does cut off opportunistic external probing and should be rolled out within 30 days.
Harden and monitor the Linux server — Put EDR/audit coverage on the Velociraptor server itself and alert on unexpected child processes, shells, interpreters, or changes under the service account. Treat this as a 30-day control because the server is the high-value blast-radius point.
Review client trust material handling — Audit how client configs, certificates, and repackaged installers are stored and distributed so attackers cannot easily reuse them from a compromised endpoint or admin share. Tighten this within 30 days because stolen client material is the most realistic bridge into this flaw.

What doesn't work

A WAF on the GUI does not meaningfully help; the vulnerable path is the client monitoring handler on the frontend/client channel, not a normal browser workflow.
Rotating GUI admin passwords alone does not address the bug because the attack path is through rogue client traffic, not admin login abuse.
Internet hiding by non-default ports is not a control. Endpoint management ports are still reachable to your fleet and discoverable to an attacker who already has internal foothold.

06 · Verification

Crowdsourced verification payload.

Run this on the target Velociraptor Linux server or through SSH with a read-only shell account that can execute the velociraptor binary or query the local package manager. Save as check-cve-2026-5329.sh and run bash check-cve-2026-5329.sh or bash check-cve-2026-5329.sh /usr/local/bin/velociraptor; no root is required unless your package metadata is restricted.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# Check CVE-2026-5329 exposure on a Linux Velociraptor server.
# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_BIN="${1:-}"

fail_unknown() {
  echo "UNKNOWN"
  exit 2
}

is_linux() {
  [ "$(uname -s 2>/dev/null)" = "Linux" ]
}

version_ge() {
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$2" "$1" | sort -V | head -n1)" = "$2" ]
}

version_gt() {
  # returns 0 if $1 > $2
  [ "$1" != "$2" ] && version_ge "$1" "$2"
}

version_lt() {
  # returns 0 if $1 < $2
  ! version_ge "$1" "$2"
}

extract_semver() {
  echo "$1" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | head -n1
}

get_version_from_binary() {
  local bin="$1"
  [ -x "$bin" ] || return 1
  local out
  out="$($bin version 2>/dev/null || $bin --version 2>/dev/null || true)"
  extract_semver "$out"
}

get_version_from_pkg() {
  local out=""
  if command -v dpkg-query >/dev/null 2>&1; then
    out="$(dpkg-query -W -f='${Version}\n' velociraptor 2>/dev/null || true)"
    extract_semver "$out" && return 0
  fi
  if command -v rpm >/dev/null 2>&1; then
    out="$(rpm -q velociraptor 2>/dev/null || true)"
    extract_semver "$out" && return 0
  fi
  return 1
}

classify_version() {
  local ver="$1"

  # Branch-aware handling based on vendor/NVD guidance:
  # - 0.74.x fixed at 0.74.7 (release note)
  # - 0.75.x fixed at 0.75.7
  # - 0.76.x fixed effectively at 0.76.3 because 0.76.2 had a patch shortcoming on master/minion

  case "$ver" in
    0.76.2)
      echo "UNKNOWN"
      exit 2
      ;;
    0.76.*)
      if version_lt "$ver" "0.76.3"; then
        echo "VULNERABLE"
        exit 1
      else
        echo "PATCHED"
        exit 0
      fi
      ;;
    0.75.*)
      if version_lt "$ver" "0.75.7"; then
        echo "VULNERABLE"
        exit 1
      else
        echo "PATCHED"
        exit 0
      fi
      ;;
    0.74.*)
      if version_lt "$ver" "0.74.7"; then
        echo "VULNERABLE"
        exit 1
      else
        echo "PATCHED"
        exit 0
      fi
      ;;
    *)
      # Older/other branches are not clearly documented in reviewed sources.
      echo "UNKNOWN"
      exit 2
      ;;
  esac
}

main() {
  is_linux || fail_unknown

  local ver=""
  if [ -n "$TARGET_BIN" ]; then
    ver="$(get_version_from_binary "$TARGET_BIN")"
  fi

  if [ -z "$ver" ] && command -v velociraptor >/dev/null 2>&1; then
    ver="$(get_version_from_binary "$(command -v velociraptor)")"
  fi

  if [ -z "$ver" ]; then
    ver="$(get_version_from_pkg || true)"
  fi

  [ -n "$ver" ] || fail_unknown
  classify_version "$ver"
}

main "$@"

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify every self-hosted Linux Velociraptor server, confirm whether the frontend/client channel is reachable beyond tightly controlled endpoint networks, and treat any 0.75.x < 0.75.7 or 0.76.x < 0.76.3 deployment as exposed. Per the noisgate mitigation SLA, apply compensating controls like frontend restriction and mTLS within 30 days if you cannot patch immediately; per the noisgate remediation SLA, move all affected systems to 0.75.7 or 0.76.3+ within 180 days, and skip 0.76.2 as your stopping point if you run master/minion.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.