HashiCorp Vault 0-Day Flaws Enable Remote Code Execution Attacks

Researchers at Cyata have disclosed nine previously unknown zero-day vulnerabilities in HashiCorp Vault, a widely adopted open-source secrets management platform, enabling attackers to bypass authentication, escalate privileges, and achieve remote code execution (RCE).

These flaws, assigned CVEs through responsible disclosure and patched in collaboration with HashiCorp, stem from subtle logic errors in core components like authentication backends, multi-factor authentication (MFA) enforcement, policy normalization, and plugin handling.

Affecting both open-source and enterprise editions, the vulnerabilities highlight systemic weaknesses in Vault’s trust model, where misconfigurations amplify risks, potentially leading to infrastructure-wide compromise.

The issues span multiple authentication methods, starting with the userpass backend, where CVE-2025-6004 allows lockout bypass via username case permutations, resetting failure counters and facilitating brute-force attacks.

Similarly, CVE-2025-6011 introduces timing-based username enumeration through inconsistent bcrypt hash comparisons, leaking valid user existence.

In LDAP integrations, CVE-2025-6004 exploits input normalization mismatches between Vault and external servers, permitting billions of password guesses by varying casing and whitespace, effectively nullifying brute-force protections.

CVE-2025-6003 further enables MFA bypass in configurations with username_as_alias enabled and entity-level enforcement, failing to trigger required challenges due to entity ID resolution errors.

TOTP MFA protections are undermined by aggregated flaws under CVE-2025-6016, including used passcode enumeration via error messages, one-time-use bypass through space padding (exploiting discrepancies between validation and caching), and rate-limiting evasion via time skew or entity switching.

These allow brute-forcing MFA codes within validity windows, reducing the second factor’s efficacy.

Certificate-based authentication suffers from CVE-2025-6037, where non-CA mode verifies only public keys, permitting attackers with private key access to forge Common Names (CNs) and impersonate entities, inheriting associated policies and enabling lateral movement.

Privilege escalation is achieved via CVE-2025-5999, exploiting policy normalization mismatches: validation rejects exact “root” assignments, but variants like ” root” or “ROOT” pass checks and normalize to full root privileges at runtime, allowing admin users to gain unrestricted control.

Culminating in CVE-2025-6000 the first public RCE in Vault attackers abuse audit logging to write executable payloads to the plugin directory, revealed via error messages, set executable modes, capture hashes through dual backends, and load them as plugins, executing arbitrary code.

This chain, present for nearly a decade, leverages trusted features without memory corruption.

Implications for Infrastructure Security

These vulnerabilities, some dating back eight to nine years, form exploitable chains from initial authentication bypass to root escalation and RCE, as demonstrated in paths targeting userpass, LDAP, and cert methods.

Post-exploitation risks include ransomware via encryption key deletion or stealthy persistence through control group subversion.

According to the report, Cyata’s methodology emphasized manual code review of request handling and identity logic, uncovering flaws overlooked by automated tools.

Organizations should upgrade to patched versions, audit configurations for vulnerable settings like username_as_alias or permissive policies, and monitor for anomalous authentication attempts.

This disclosure underscores that logic flaws in trust anchors like Vault can subvert entire security models, urging rigorous identity and policy enforcement in secrets management.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free