Critical HashiCorp Vault Flaw (CVE-2025-6000) Allows Code Execution for Privileged Users

In a recently disclosed advisory, HashiCorp has patched a critical vulnerability—CVE-2025-6000—in Vault, its industry-standard secrets management solution. With a CVSS score of 9.1, this flaw could allow privileged Vault operators to execute arbitrary code on the underlying host system under certain misconfigurations.

“A privileged Vault operator within the root namespace with write permission to sys/audit may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration,” HashiCorp stated in its official summary.

The flaw stems from how Vault handles audit devices—components designed to keep a detailed log of all API requests and responses within Vault. When misused, these audit devices can be leveraged to write arbitrary files to disk.

In particular, a malicious operator with write access to the sys/audit endpoint could craft a payload that is:

1. Written to the plugin directory using Vault’s file audit device.
2. Registered as a Vault external plugin.
3. Executed by the Vault process after calculating the required SHA256 hash (with help from the sys/audit-hash endpoint).

“While the SHA256 digest of the file is required for execution… it may be possible for a malicious operator to reproduce the exact contents of a given audit file and compute the hash,” the advisory warns.

This vulnerability affects all installations of:

• Vault Community Edition prior to 1.20.1
• Vault Enterprise prior to 1.20.1, 1.19.7, 1.18.12, and 1.16.23

However, HCP Vault Dedicated is not vulnerable. Thanks to its use of administrative namespaces, Vault Dedicated does not expose the sys/audit endpoint to users.

“This vulnerability cannot be exploited in HCP Vault Dedicated due to its use of administrative namespaces,” the advisory confirms.

HashiCorp has implemented several mitigations in the patched versions:

• The prefix option for audit logs is now disabled by default. Enabling it requires explicitly setting AllowAuditLogPrefixing to true.
• Audit logs can no longer be written to plugin directories, blocking one of the key vectors for exploitation.

HashiCorp strongly recommends that users:

• Upgrade to a patched version immediately.
• Audit permissions to sys/audit within the root namespace.
• Avoid co-locating plugin directories with audit log destinations.

For general upgrade instructions, HashiCorp provides guidance here.

Related Posts:

• Veritas Enterprise Vault Vulnerability Could Allow Remote Code Execution
• Azure Key Vault Vulnerability: Exploiting Role Misconfigurations for Privilege Escalation
• IBM Completes Acquisition of HashiCorp, Ushering in New Era of Hybrid Cloud Automation
• AWS Under Siege: Attackers Target Vaults, Buckets, and Secrets in Widespread Campaign
• IBM Acquires HashiCorp in $6.4B Deal

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy