A critical security vulnerability, identified as CVE-2025-6000, has been discovered in HashiCorp’s Vault, a widely used tool for secrets management and data protection. This flaw allows privileged operators to execute arbitrary code on the underlying host systems, posing significant risks to organizations relying on Vault for secure operations.
Vulnerability Overview
The vulnerability affects both Vault Community Edition and Vault Enterprise versions from 0.8.0 up to 1.20.0. It was responsibly disclosed by Yarden Porat of Cyata Security on August 1, 2025. HashiCorp has since released patches to address this issue in subsequent versions.
Technical Details
The root cause of CVE-2025-6000 lies in a design flaw within Vault’s audit device functionality. Audit devices in Vault are responsible for logging all requests and responses, providing a comprehensive record of operations. Operators with write permissions to the `sys/audit` endpoint can exploit the file audit device mechanism to write arbitrary files to specified disk locations.
By leveraging this capability, a malicious operator can place files in directories designated for Vault plugins. Vault plugins are external applications that Vault executes via Remote Procedure Call (RPC) communication. Once a malicious file is positioned and registered as a plugin, Vault will execute it, leading to arbitrary code execution on the host system.
Exploitation Pathway
To exploit this vulnerability, an attacker must have:
– Privileged operator access to Vault.
– Write permissions to the `sys/audit` endpoint.
– Access within the root namespace.
– A configured plugin directory in Vault.
The attack involves manipulating the SHA256 digest requirements for file execution. Although audit devices use per-device HMAC keys for data integrity, a malicious operator can reproduce exact audit file contents and compute necessary hashes using the `sys/audit-hash` endpoint. This process allows the attacker to bypass integrity checks and position malicious files for execution.
Risk Assessment
The vulnerability has been assigned a CVSS 3.1 score of 9.1, categorizing it as critical. The primary risk is the potential for arbitrary code execution, which can lead to:
– Unauthorized access to sensitive data.
– System compromise and potential data breaches.
– Disruption of services and operations.
It’s important to note that this vulnerability requires internal access and specific privileges, making it a privilege escalation issue rather than an external attack vector.
Mitigation Measures
HashiCorp has implemented several security controls to address this vulnerability:
– Disabling Prefix Option by Default: The prefix option for new audit devices is now disabled by default. To enable it, administrators must explicitly set `AllowAuditLogPrefixing` to `true` in Vault’s configuration files.
– Restricting Audit Log Destinations: Audit log destinations can no longer target plugin directories, effectively eliminating the primary attack pathway.
Recommended Actions
Organizations using affected versions of Vault should take the following steps:
1. Upgrade Vault: Immediately upgrade to the patched versions:
– Vault Community Edition: Upgrade to version 1.20.1 or later.
– Vault Enterprise: Upgrade to versions 1.20.1, 1.19.7, 1.18.12, or 1.16.23, depending on the current deployment.
2. Review Access Controls: Ensure that only trusted personnel have privileged operator access and write permissions to the `sys/audit` endpoint.
3. Monitor Audit Logs: Regularly review audit logs for any unauthorized or suspicious activities.
4. Implement Additional Security Measures: Consider implementing additional security controls, such as network segmentation and monitoring, to detect and prevent unauthorized access.
Conclusion
The discovery of CVE-2025-6000 underscores the importance of continuous security assessments and prompt patch management. Organizations must prioritize upgrading their Vault deployments and reviewing their security configurations to mitigate the risks associated with this vulnerability. By taking proactive measures, organizations can safeguard their systems and maintain the integrity of their sensitive data.
