Critical HashiCorp Vulnerability Allows Attackers to Run Code on Host Machine

HashiCorp has disclosed a critical security vulnerability affecting its Vault products that could allow privileged operators to execute arbitrary code on the underlying host machine.

The flaw, designated CVE-2025-6000 and tracked as HCSEC-2025-14, impacts both Community and Enterprise editions of Vault across multiple versions spanning several years of releases.

Vulnerability Details and Impact

The security flaw affects Vault Community Edition from version 0.8.0 up to 1.20.0, as well as various Vault Enterprise versions dating back to 0.8.0.

The vulnerability enables a malicious operator with write permissions to the sys/audit endpoint within Vault’s root namespace to achieve code execution on the host system, but only when a plugin directory is configured in Vault’s setup.

The attack vector involves exploiting Vault’s file audit device functionality to write arbitrary files to disk.

When combined with plugin registration capabilities, this mechanism can be leveraged to execute malicious code on the underlying infrastructure.

The exploitation process requires the attacker to have elevated privileges within Vault’s root namespace, specifically write access to the sys/audit endpoint.

Security researchers note that while the attack requires a SHA256 digest for file execution and audit devices employ per-device HMAC keys, a sophisticated attacker could potentially reproduce audit file contents and calculate the necessary hash using the sys/audit-hash endpoint.

Affected Systems and Exceptions

The vulnerability impacts a broad range of Vault deployments, though HashiCorp’s managed HCP Vault Dedicated service remains unaffected due to its implementation of administrative namespaces, which provide additional security boundaries.

This architectural difference prevents the exploitation pathway that enables the vulnerability in self-managed installations.

HashiCorp has released patches across multiple version branches to address the vulnerability.

Fixed versions include Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The company has implemented several security enhancements as part of the remediation effort.

Key security improvements include disabling the prefix option by default for new audit devices, requiring the AllowAuditLogPrefixing configuration setting to be explicitly enabled, and preventing audit log destinations from being set to plugin directories.

These changes significantly reduce the attack surface while maintaining operational functionality for legitimate use cases.

The vulnerability was discovered and reported by Yarden Porat of Cyata Security, who followed responsible disclosure practices by coordinating with HashiCorp’s security team.

The security bulletin was published on August 1, 2025, providing organizations with immediate visibility into the risk and available remediation options.

Organizations running affected Vault versions should prioritize upgrading to the patched releases and review their current security configurations to ensure proper access controls are implemented.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!