HashiCorp has disclosed a critical security vulnerability in its Vault secret management platform that could allow privileged operators to execute arbitrary code on underlying host systems.
The vulnerability, tracked as CVE-2025-6000 and bulletin identifier HCSEC-2025-14, affects multiple versions of both Vault Community Edition and Enterprise installations and was publicly disclosed on August 1, 2025.
The security flaw impacts Vault Community Edition versions from 0.8.0 through 1.20.0, with fixes available in version 1.20.1.
For Vault Enterprise users, affected versions span from 0.8.0 to 1.20.0, 1.19.6, 1.18.11, 1.16.22, and 1.15.15, with patches released in versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Vulnerability Details and Technical Impact
The exploitation mechanism centers around Vault’s audit device functionality, specifically targeting operators with write permissions to the sys/audit endpoint within the root namespace.
A malicious operator can leverage Vault’s file audit device to write arbitrary files to disk, subsequently combining this capability with plugin registration to achieve code execution on the host system.
The attack vector involves manipulating audit devices, which maintain detailed logs of all Vault requests and responses using HMAC authentication with per-device keys.
Attackers can potentially reproduce exact audit file contents and compute the required SHA256 digest using the sys/audit-hash endpoint, enabling them to bypass security controls when plugin directories are configured in Vault’s setup.
External plugins in Vault operate as standalone applications communicating via RPC, with Vault spawning separate processes or containers for plugin execution.
This architecture becomes vulnerable when combined with the audit device manipulation, as attackers can potentially place malicious code in plugin directories and trigger execution through the normal plugin loading mechanism.
Remediation and Security Measures
HashiCorp has implemented several security enhancements to address this vulnerability.
The prefix option for audit devices is now disabled by default, requiring explicit configuration of AllowAuditLogPrefixing set to true in Vault’s configuration file.
Additionally, audit log destinations can no longer target plugin directories, eliminating a key component of the attack chain.
The vulnerability cannot be exploited in HCP Vault Dedicated environments due to their implementation of administrative namespaces, which restrict access to privileged backend system endpoints.
Organizations using on-premises Vault deployments should prioritize upgrading to the patched versions based on their risk assessment.
The security issue was responsibly disclosed by Yarden Porat of Cyata Security, highlighting the importance of coordinated vulnerability disclosure in maintaining enterprise security infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Severe+HashiCorp+Flaw+Lets+Attackers+Run+Code+on+Underlying+Hosts){kind=link}