Security researchers at Cyata have disclosed nine critical zero-day vulnerabilities in HashiCorp Vault. This widely adopted secrets management platform serves as the backbone of digital infrastructure for organizations worldwide.
The flaws, which bypass authentication controls and enable privilege escalation, include the first publicly reported remote code execution (RCE) vulnerability in Vault’s history.
The vulnerabilities were discovered through weeks of manual code analysis targeting Vault’s core authentication and policy enforcement mechanisms.
All issues have been patched following responsible disclosure to HashiCorp, with CVE assignments ranging from CVE-2025-5999 through CVE-2025-6037.
Authentication Bypasses Undermine Core Security
The research team identified multiple logic flaws in Vault’s fundamental authentication backends, including userpass and LDAP methods used across production environments.
CVE-2025-6004 enables attackers to bypass lockout protections by manipulating username casing, allowing unlimited brute-force attempts against user accounts.
In LDAP configurations, researchers discovered CVE-2025-6003, which bypasses multi-factor authentication (MFA) enforcement when specific configuration conditions are met.
The vulnerability exploits mismatches between how Vault resolves user identities and enforces MFA policies at the EntityID level.
Perhaps most concerning, CVE-2025-6016 demonstrates how multiple logic flaws in Vault’s Time-based One-Time Password (TOTP) implementation can be chained together to undermine MFA protections completely.
Attackers can enumerate previously used passcodes, bypass one-time-use restrictions through space padding, and evade rate limiting by switching between entities.
Root Privilege Escalation and Certificate Impersonation
The vulnerabilities extend beyond authentication into Vault’s authorization layer. CVE-2025-5999 allows admin users to escalate privileges to the root level by exploiting policy normalization flaws.
The vulnerability bypasses Vault’s hardcoded protections designed to prevent root policy assignment.
Additionally, CVE-2025-6037 affects certificate-based authentication in non-CA mode, enabling attackers with access to certificate private keys to impersonate other machine identities by forging Common Name fields while maintaining valid public key verification.
Widespread Impact Across Vault Deployments
The discovered vulnerabilities affect both Open Source and Enterprise versions of Vault across multiple deployment scenarios.
Unlike previous research that focused on cloud provider-specific backends, these flaws target Vault’s core authentication flows, making them broadly applicable to most production deployments.
“These weren’t memory corruption or race condition issues, but subtle logic flaws buried in Vault’s authentication, identity, and policy enforcement layers,” the researchers noted.
Some vulnerabilities had existed for nearly a decade, remaining undetected despite their straightforward exploitation paths once understood.
The findings highlight critical weaknesses in systems designed to serve as the ultimate trust anchor for organizational infrastructure, where compromise can lead to complete infrastructure takeover.
.jpg?resize=1068,580&ssl=1&description=0-Day Flaws - Security researchers at Cyata have disclosed nine critical zero-day vulnerabilities in HashiCorp Vault){kind=link}