Identification safety and entry administration agency CyberArk has patched a number of critical vulnerabilities that would result in unauthenticated distant code execution, doubtlessly enabling risk actors to realize entry to helpful enterprise secrets and techniques.
The vulnerabilities had been discovered by researchers at agentic id safety agency Cyata in CyberArk Conjur, an open supply secrets and techniques administration resolution that’s utilized by many organizations for managing machine and AI identities and for brokering safe entry between numerous enterprise environments.
Conjur is designed for securely storing, managing and controlling entry to credentials, certificates, API keys and different enterprise secrets and techniques utilized in cloud and DevOps environments, which could possibly be extremely helpful to risk actors.
Cyata found a collection of vulnerabilities, together with ones permitting IAM authentication bypass, privilege escalation, info disclosure, and arbitrary code execution.
Chaining the failings permits a distant, unauthenticated attacker to execute arbitrary code on the focused system without having any password, token or AWS credentials.
[ Read: Palo Alto Networks to Acquire CyberArk for $25 Billion ]
The vulnerabilities are tracked as CVE-2025-49827, CVE-2025-49831 (each IAM authenticator bypasses), CVE-2025-49828 (distant code execution), CVE-2025-49830 (path traversal and file disclosure), and CVE-2025-49829 (lacking validations).
CyberArk was notified in regards to the findings in late Might and the corporate introduced the provision of patches in a weblog submit revealed on July 15. Prospects had beforehand been notified in regards to the flaws and patches.Commercial. Scroll to proceed studying.
CyberArk’s Secrets and techniques Supervisor, Self-Hosted (previously Conjur Enterprise) and Conjur open supply are affected.
“So far as we all know, these vulnerabilities haven’t been exploited within the wild, however we strongly encourage all customers of the affected software program to deploy the newly launched patches as quickly as potential,” CyberArk stated.
Along with the CyberArk product vulnerabilities, Cyata researchers found flaws in one other broadly used secrets and techniques administration platform, HashiCorp Vault. A complete of 9 vulnerabilities had been discovered, a few of them permitting distant code execution and a full system takeover.
Cyata introduced its findings on Wednesday on the Black Hat convention and disclosed technical particulars in a weblog submit.
Associated: Flaws Expose 100 Dell Laptop computer Fashions to Implants, Home windows Login Bypass
Associated: Reclaiming Management: How Enterprises Can Repair Damaged Safety Operations
Associated: Flaw in Vibe Coding Platform Base44 Uncovered Personal Enterprise Purposes
