Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E". Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.
Conclusion & alert: CVE-2025-14728 is rated Exploit Available (57.3/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.21%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-27 | 0.45% | 0.21% | -0.24% |
| 2 | 2026-04-22 | 0.61% | 0.45% | -0.16% |
| 3 | 2026-03-21 | — | 0.61% | — |
Full EPSS history (7 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.8 | 3.1 | MEDIUM |
|
2.2 | 4.0 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| rapid7 | velociraptor | < 0.75.6 | cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/ | Exploit Patch Vendor Advisory |