HashiCorp Vault has been identified with a critical vulnerability, designated CVE-2025-6000, which carries a CVSS score of 9.1, indicating an urgent need for remediation. This flaw permits privileged operators with write permissions to the sys/audit namespace to execute arbitrary code on host systems. The exploit relies on misconfigured audit devices, particularly concerning crafted audit files and plugin registration.
HashiCorp Vault has a critical vulnerability, CVE-2025-6000, allowing privileged operators to execute arbitrary code on host systems.
It is essential to note that although this vulnerability affects Vault Community Edition and several Enterprise versions, it does not impact HCP Vault Dedicated because of its unique administrative namespace architecture. Additionally, the vulnerability highlights the necessity of high-level permissions required for an attacker to exploit this flaw effectively.
The technical mechanics of the exploit highlight how malicious operators can misuse the sys/audit endpoint to write arbitrary files to disk via Vault’s file audit device. By combining plugin registration with manipulation of audit files, attackers can achieve code execution.
Despite HMAC protection and SHA256 digest checks being in place, they can be circumvented by replicating contents of audit files and generating matching hashes using the sys/audit-hash endpoint. Since external plugins operate as separate processes initiated by Vault, this configuration considerably broadens the attack surface for potential remote code execution.
The impact of this vulnerability is severe. It allows a privileged user to commandeer entire servers running Vault, posing a considerable threat to the infrastructures that depend on Vault’s secret management capabilities. A compromise could lead to unauthorized data access, disruption of services, and enduring malicious control within enterprise environments. Notably, as of the latest reports, no active public exploits or proof-of-concept codes have been identified.
HashiCorp has addressed the vulnerability through patches in Vault CE version 1.20.1 and corresponding Enterprise editions. Additionally, the urgency of patching vulnerabilities underscores the importance of timely upgrades. Recommended mitigation steps include upgrading to these patched versions, disabling audit log prefixing, and ensuring audit logs are restricted away from plugin directories.
Furthermore, operators are advised to limit privileged permissions on the sys/audit namespace and conduct regular audits of plugin configurations.
