A critical HashiCorp security vulnerability affecting Vault Community Edition and Enterprise versions could allow privileged operators to execute arbitrary code on underlying host systems.
The vulnerability, tracked as CVE-2025-6000, affects Vault versions from 0.8.0 up to 1.20.0 and has been patched in recent releases.
Key Takeaways
1. CVE-2025-6000 allows privileged Vault operators to execute arbitrary code.
2. Affects Vault versions 0.8.0-1.20.0.
3. Organizations must immediately upgrade to fixed versions.
The security flaw was discovered by Yarden Porat of Cyata Security and reported through responsible disclosure practices on August 1, 2025.
Vault RCE Vulnerability
The vulnerability stems from a design flaw in Vault’s audit device functionality that allows malicious operators with write permissions to the sys/audit endpoint to exploit the file audit device mechanism.
Audit devices serve as comprehensive logging components that maintain detailed records of all Vault requests and responses, including configurable options for per-line prefixes and disk location specifications.
The exploitation pathway involves leveraging Vault’s file audit device to write arbitrary files to disk locations.
When combined with plugin registration and usage capabilities, this functionality creates a pathway for arbitrary code execution on the host system.
The attack requires the operator to have write permissions to sys/audit within Vault’s root namespace, making this a privilege escalation vulnerability rather than an external attack vector.
Technical exploitation involves manipulating the SHA256 digest requirements for file execution.
While audit devices utilize per-device HMAC keys for data integrity, malicious operators can potentially reproduce exact audit file contents and compute necessary hashes using the sys/audit-hash endpoint.
External plugins, which run as separate standalone applications that Vault executes through RPC communication, become the execution vector once malicious files are properly positioned and registered.
| Risk Factors | Details |
| Affected Products | – Vault Community Edition: 0.8.0 – 1.20.0- Vault Enterprise: 0.8.0 – 1.20.0, 1.19.6, 1.18.11, 1.16.22, 1.15.15 |
| Impact | Arbitrary code execution |
| Exploit Prerequisites | – Privileged Vault operator access- Write permissions to sys/audit endpoint- Access within root namespace- Plugin directory configured in Vault |
| CVSS 3.1 Score | 9.1 (Critical) |
Mitigations
HashiCorp has implemented multiple security controls to address this vulnerability across affected product lines.
The prefix option for new audit devices is now disabled by default, requiring explicit configuration of AllowAuditLogPrefixing set to true in Vault’s configuration files.
Additionally, audit log destinations can no longer target plugin directories, eliminating the primary attack pathway. Affected versions include Vault Community Edition from 0.8.0 through 1.20.0, with fixes available in version 1.20.1.
Vault Enterprise users should upgrade to versions 1.20.1, 1.19.7, 1.18.12, or 1.16.23, depending on their current deployment.
Notably, HCP Vault Dedicated environments remain unaffected due to their implementation of administrative namespaces, which provide additional isolation controls.
Organizations should prioritize immediate patching given the critical nature of this vulnerability and the widespread deployment of affected Vault versions across enterprise infrastructure environments.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
