Security researchers uncovered a series of critical zero-day vulnerabilities in HashiCorp Vault in early August 2025, the widely adopted secrets management solution.
These flaws, spanning authentication bypasses, policy enforcement inconsistencies, and audit-log abuse, create end-to-end attack paths that culminate in remote code execution (RCE) on Vault servers.
Initial evidence of logic-level defects emerged from manual code reviews of Vault’s request routing and plugin interfaces, revealing stealthy logic mismatches rather than conventional memory corruption exploits.
As organizations increasingly rely on Vault to safeguard API keys, certificates, and encryption keys in multi-cloud environments, the discovery of these flaws sends shockwaves through the cybersecurity community.
CYATA analysts noted that some vulnerabilities persisted for nearly a decade, quietly embedded in core authentication flows and only recently exposed by meticulous manual auditing.
.webp "HashiCorp Vault 0-Day Vulnerabilities Let Attackers Execute Remote Code 3")
The impact extends beyond proof-of-concepts: attackers can chain these issues to bypass lockout protections in userpass and LDAP backends, evade TOTP MFA constraints, impersonate machine identities via certificate authentication, and finally escalate privileges from admin tokens to root.
The remote code execution technique is novel in Vault’s history. Rather than exploiting buffer overflows, adversaries leverage the archive of audit logs—written in plaintext—to inject a crafted shell payload into Vault’s plugin directory.
.webp "HashiCorp Vault 0-Day Vulnerabilities Let Attackers Execute Remote Code 4")
By configuring an audit backend with a custom prefix containing a shebang and Bash commands, attackers coerce Vault into writing executable scripts.
Subsequent retrieval of the exact payload via a TCP-stream audit backend allows computation of a matching SHA256 hash, satisfying Vault’s plugin registration requirements and triggering code execution.
.webp "HashiCorp Vault 0-Day Vulnerabilities Let Attackers Execute Remote Code 5")
Organizations are urged to upgrade immediately to patched versions released alongside responsible disclosure. HashiCorp has issued advisory updates addressing all nine CVEs, reinforcing normalization routines and tightening policy checks.
The coordinated response between CYATA and HashiCorp exemplifies effective vulnerability management, yet underscores the need for deep logic validation alongside standard fuzzing and penetration testing.
Persistence Tactics: Audit-Log-Based Shell Injection
The most striking persistence tactic abuses Vault’s audit logging subsystem to implant malicious code.
Vault supports multiple concurrent audit backends, each capable of writing structured JSON to arbitrary file paths with configurable file modes.
Attackers begin by probing the plugin catalog endpoint (POST /v1/sys/plugins/catalog/:type/:name) with a non-existent plugin name, eliciting an error that leaks the absolute plugin_directory path. Next, they enable a file-based audit backend:-
audit "file" {
log_path = "/opt/vault/plugins/evil.sh"
prefix = "#!/bin/bashn$(cat /tmp/secret_payload)n"
mode = "0755"
}Upon sending any Vault request, the prefix is prepended to each JSON entry, causing Vault to create /opt/vault/plugins/evil.sh with executable permissions.
Simultaneously, a TCP audit backend streams the identical payload to an attacker-controlled socket, ensuring the exact bytes can be hashed. Finally, the adversary issues:-
vault write sys/plugins/catalog/secret/evil
sha256="" command="evil.sh"Vault then loads evil.sh as a plugin, executing it within the Vault process and granting arbitrary code execution privileges.
While the following table enumerates the key CVEs, their technical root causes, and attacker impacts:-
| CVE | Root Cause | Attacker Impact |
|---|---|---|
| CVE-2025-6004 | Username lockout bypass via case and whitespace | Unlimited brute-force attempts; username enumeration |
| CVE-2025-6011 | Timing difference on bcrypt skip for non-existent users | Username validation oracle; targeted credential attacks |
| CVE-2025-6003 | MFA bypass when username_as_alias=true and EntityID mismatch |
Silently skips TOTP requirement under certain LDAP configurations |
| CVE-2025-6016 | Combined TOTP logic flaws (replay, rate limit evasion) | Brute-force valid TOTP codes; bypass one-time use and rate-limiting |
| CVE-2025-6037 | CN unchecked in non-CA cert auth | Impersonation of arbitrary machine identities with valid public key |
| CVE-2025-5999 | Policy normalization mismatch | Admin can assign " root" or uppercase "ROOT" policy names to escalate to root privileges |
| CVE-2025-6000 | Audit-log prefix abuse for plugin creation | Remote code execution with no memory corruption via malicious audit-log-backed plugin registration |
This wave of logic-level vulnerabilities highlights that even memory-safe architectures can harbor critical flaws when input normalization and policy enforcement diverge.
Cybersecurity teams must augment black-box testing with thorough source analysis to uncover subtle trust-model inconsistencies before adversaries exploit them.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
