Safety researchers uncovered a collection of crucial zero-day vulnerabilities in HashiCorp Vault in early August 2025, the broadly adopted secrets and techniques administration resolution.
These flaws, spanning authentication bypasses, coverage enforcement inconsistencies, and audit-log abuse, create end-to-end assault paths that culminate in distant code execution (RCE) on Vault servers.
Preliminary proof of logic-level defects emerged from handbook code critiques of Vault’s request routing and plugin interfaces, revealing stealthy logic mismatches quite than standard reminiscence corruption exploits.
As organizations more and more depend on Vault to safeguard API keys, certificates, and encryption keys in multi-cloud environments, the invention of those flaws sends shockwaves by means of the cybersecurity group.
CYATA analysts famous that some vulnerabilities continued for practically a decade, quietly embedded in core authentication flows and solely lately uncovered by meticulous handbook auditing.
Userpass Login Circulate (Supply – Cyata)
The affect extends past proof-of-concepts: attackers can chain these points to bypass lockout protections in userpass and LDAP backends, evade TOTP MFA constraints, impersonate machine identities through certificates authentication, and eventually escalate privileges from admin tokens to root.
The distant code execution approach is novel in Vault’s historical past. Reasonably than exploiting buffer overflows, adversaries leverage the archive of audit logs—written in plaintext—to inject a crafted shell payload into Vault’s plugin listing.
LDAP Login Circulate (Supply – Cyata)
By configuring an audit backend with a customized prefix containing a shebang and Bash instructions, attackers coerce Vault into writing executable scripts.
Subsequent retrieval of the precise payload through a TCP-stream audit backend permits computation of an identical SHA256 hash, satisfying Vault’s plugin registration necessities and triggering code execution.
Exploit chain (Supply – Cyata)
Organizations are urged to improve instantly to patched variations launched alongside accountable disclosure. HashiCorp has issued advisory updates addressing all 9 CVEs, reinforcing normalization routines and tightening coverage checks.
The coordinated response between CYATA and HashiCorp exemplifies efficient vulnerability administration, but underscores the necessity for deep logic validation alongside commonplace fuzzing and penetration testing.
Persistence Ways: Audit-Log-Based mostly Shell Injection
Essentially the most placing persistence tactic abuses Vault’s audit logging subsystem to implant malicious code.
Vault helps a number of concurrent audit backends, every able to writing structured JSON to arbitrary file paths with configurable file modes.
Attackers start by probing the plugin catalog endpoint (POST /v1/sys/plugins/catalog/:kind/:identify) with a non-existent plugin identify, eliciting an error that leaks absolutely the plugin_directory path. Subsequent, they permit a file-based audit backend:-
audit “file” {
log_path = “/choose/vault/plugins/evil.sh”
prefix = “#!/bin/bashn$(cat /tmp/secret_payload)n”
mode = “0755”
}
Upon sending any Vault request, the prefix is prepended to every JSON entry, inflicting Vault to create /choose/vault/plugins/evil.sh with executable permissions.
Concurrently, a TCP audit backend streams the an identical payload to an attacker-controlled socket, making certain the precise bytes will be hashed. Lastly, the adversary points:-
vault write sys/plugins/catalog/secret/evil
sha256=”” command=”evil.sh”
Vault then masses evil.sh as a plugin, executing it inside the Vault course of and granting arbitrary code execution privileges.
Whereas the next desk enumerates the important thing CVEs, their technical root causes, and attacker impacts:-
CVERoot CauseAttacker ImpactCVE-2025-6004Username lockout bypass through case and whitespaceUnlimited brute-force makes an attempt; username enumerationCVE-2025-6011Timing distinction on bcrypt skip for non-existent usersUsername validation oracle; focused credential attacksCVE-2025-6003MFA bypass when username_as_alias=true and EntityID mismatchSilently skips TOTP requirement beneath sure LDAP configurationsCVE-2025-6016Combined TOTP logic flaws (replay, charge restrict evasion)Brute-force legitimate TOTP codes; bypass one-time use and rate-limitingCVE-2025-6037CN unchecked in non-CA cert authImpersonation of arbitrary machine identities with legitimate public keyCVE-2025-5999Policy normalization mismatchAdmin can assign ” root” or uppercase “ROOT” coverage names to escalate to root privilegesCVE-2025-6000Audit-log prefix abuse for plugin creationRemote code execution with no reminiscence corruption through malicious audit-log-backed plugin registration
This wave of logic-level vulnerabilities highlights that even memory-safe architectures can harbor crucial flaws when enter normalization and coverage enforcement diverge.
Cybersecurity groups should increase black-box testing with thorough supply evaluation to uncover refined trust-model inconsistencies earlier than adversaries exploit them.
Equip your SOC with full entry to the most recent menace information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
