Security researchers uncovered a series of critical zero-day vulnerabilities in HashiCorp Vault in early August 2025, the widely adopted secrets management solution.<\/p>\n
These flaws, spanning authentication bypasses, policy enforcement inconsistencies, and audit-log abuse, create end-to-end attack paths that culminate in remote code execution (RCE) on Vault servers.<\/p>\n
Initial evidence of logic-level defects emerged from manual code reviews of Vault\u2019s request routing and plugin interfaces, revealing stealthy logic mismatches rather than conventional memory corruption exploits.<\/p>\n
As organizations increasingly rely on Vault to safeguard API keys, certificates, and encryption keys in multi-cloud environments, the discovery of these flaws sends shockwaves through the cybersecurity community.<\/p>\n
CYATA analysts noted<\/a> that some vulnerabilities persisted for nearly a decade, quietly embedded in core authentication flows and only recently exposed by meticulous manual auditing.<\/p>\n The impact extends beyond proof-of-concepts: attackers can chain these issues to bypass lockout protections in userpass and LDAP backends, evade TOTP MFA<\/a> constraints, impersonate machine identities via certificate authentication, and finally escalate privileges from admin tokens to root.<\/p>\n The remote code execution technique is novel in Vault\u2019s history. Rather than exploiting buffer overflows, adversaries leverage the archive of audit logs\u2014written in plaintext\u2014to inject a crafted shell payload into Vault\u2019s plugin directory.<\/p>\n By configuring an audit backend with a custom Subsequent retrieval of the exact payload via a TCP-stream audit backend allows computation of a matching SHA256 hash, satisfying Vault\u2019s plugin registration requirements and triggering code execution<\/a>.<\/p>\n Organizations are urged to upgrade immediately to patched versions released alongside responsible disclosure. HashiCorp has issued advisory updates addressing all nine CVEs, reinforcing normalization routines and tightening policy checks.<\/p>\n The coordinated response between CYATA and HashiCorp exemplifies effective vulnerability management, yet underscores the need for deep logic validation alongside standard fuzzing and penetration testing.<\/p>\n The most striking persistence tactic abuses Vault\u2019s audit logging subsystem to implant malicious code.<\/p>\n Vault supports multiple concurrent audit backends, each capable of writing structured JSON<\/a> to arbitrary file paths with configurable file modes.<\/p>\n Attackers begin by probing the plugin catalog endpoint ( Upon sending any Vault request, the prefix is prepended to each JSON entry, causing Vault to create Simultaneously, a TCP audit backend streams the identical payload to an attacker-controlled socket, ensuring the exact bytes can be hashed. Finally, the adversary issues:-<\/p>\n Vault then loads While the following table enumerates the key CVEs, their technical root causes, and attacker impacts:-<\/p>\n This wave of logic-level vulnerabilities highlights that even memory-safe architectures can harbor critical flaws when input normalization and policy enforcement diverge.<\/p>\n Cybersecurity teams must augment black-box testing with thorough source analysis to uncover subtle trust-model inconsistencies before adversaries exploit them.<\/p>\n Equip your SOC with full access to the latest threat data from\u00a0ANY.RUN TI Lookup<\/strong>\u00a0that can Improve incident response ->\u00a0Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post HashiCorp Vault 0-Day Vulnerabilities Let Attackers Execute Remote Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjGAN1LWGUZJi4krWUdVoQARw6sXYkUF7I0FN-hUeJfv19JJL3_ecrQlFmbitVzee6zMBKIzI4KRvln3SoLyX_CWxtgx42zk4f17HS-EjOIIc2d9YrgF8tvW3v2alDk_RFQcWD3ntCk7h3CvmYq2uDFCCNhf4QjiHGtDgGgWOjWb2f-BEcDkMwLQPAgx_s\/s16000\/Userpass%2520Login%2520Flow%2520%28Source%2520-%2520Cyata%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhOJTB5a-7rhUiTVVAf0d6K5B6K7h7Zknu5lvD0EfDwrimRgmE6ONp_PFngNxuQtSgsp5N-qBSQtJzV0C_mjMuh0BD9xlvUx9ug0lOfgoC1EOCGHG7NiK9dTcscYsn1yUKYw8hdExj0ytFROC2iHLTR8iUK3zBQacBSvfg3d423OnpNNsCDTzgnLLvKKt0\/s16000\/LDAP%2520Login%2520Flow%2520%28Source%2520-%2520Cyata%29.webp?ssl=1\")
prefix<\/code> containing a shebang and Bash commands, attackers coerce Vault into writing executable scripts.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgOoCVFuM-IycE7MeuGgI8uAWOk2EYfeVtiILxeCoYUjUHOcCqgUTZFnk4Q6dtJMabSoL-spU5tc2-lFuzXgTk3yrHhQ4FFkybBUS8l4DGffer3jznoextgNhMr9Sms-tk74xJ8GVuZytvAcu3rKwaTqq0s1H1wcoQq-AwuvdYTxKcXUJXyqUWnYYA45qU\/s16000\/Exploit%2520chain%2520%28Source%2520-%2520Cyata%29.webp?ssl=1\")
Persistence Tactics: Audit-Log-Based Shell Injection<\/strong><\/h2>\n
POST \/v1\/sys\/plugins\/catalog\/:type\/:name<\/code>) with a non-existent plugin name, eliciting an error that leaks the absolute plugin_directory<\/code> path. Next, they enable a file-based audit backend:-<\/p>\naudit \"file\" {\n log_path = \"\/opt\/vault\/plugins\/evil.sh\"\n prefix = \"#!\/bin\/bashn$(cat \/tmp\/secret_payload)n\"\n mode = \"0755\"\n}<\/code><\/pre>\n\/opt\/vault\/plugins\/evil.sh<\/code> with executable permissions.<\/p>\nvault write sys\/plugins\/catalog\/secret\/evil \n sha256=\"\" command=\"evil.sh\"<\/code><\/pre>\nevil.sh<\/code> as a plugin, executing it within the Vault process and granting arbitrary code execution privileges.<\/p>\n\n\n
\n \nCVE<\/th>\n Root Cause<\/th>\n Attacker Impact<\/th>\n<\/tr>\n<\/thead>\n \n CVE-2025-6004<\/td>\n Username lockout bypass via case and whitespace<\/td>\n Unlimited brute-force attempts; username enumeration<\/td>\n<\/tr>\n \n CVE-2025-6011<\/td>\n Timing difference on bcrypt skip for non-existent users<\/td>\n Username validation oracle; targeted credential attacks<\/td>\n<\/tr>\n \n CVE-2025-6003<\/td>\n MFA bypass when username_as_alias=true<\/code> and EntityID mismatch<\/td>\nSilently skips TOTP requirement under certain LDAP configurations<\/td>\n<\/tr>\n \n CVE-2025-6016<\/td>\n Combined TOTP logic flaws (replay, rate limit evasion)<\/td>\n Brute-force valid TOTP codes; bypass one-time use and rate-limiting<\/td>\n<\/tr>\n \n CVE-2025-6037<\/td>\n CN unchecked in non-CA cert auth<\/td>\n Impersonation of arbitrary machine identities with valid public key<\/td>\n<\/tr>\n \n CVE-2025-5999<\/td>\n Policy normalization mismatch<\/td>\n Admin can assign \" root\"<\/code> or uppercase \"ROOT\"<\/code> policy names to escalate to root<\/code> privileges<\/td>\n<\/tr>\n\n CVE-2025-6000<\/td>\n Audit-log prefix abuse for plugin creation<\/td>\n Remote code execution with no memory corruption via malicious audit-log-backed plugin registration<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n