CVE-2025-5999
📋 TL;DR
A privileged Vault operator with write permissions to the root namespace's identity endpoint can escalate token privileges to Vault's root policy, granting full administrative control. This affects HashiCorp Vault deployments where operators have specific write permissions. The vulnerability allows privilege escalation within Vault's access control system.
💻 Affected Systems
- HashiCorp Vault Community Edition
- HashiCorp Vault Enterprise
📦 What is this software?
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
An attacker with initial operator access gains full root privileges over the entire Vault deployment, potentially accessing all secrets, modifying configurations, and compromising the entire secrets management infrastructure.
Likely Case
A malicious or compromised operator escalates their own privileges to root level, gaining unauthorized access to sensitive secrets and administrative functions.
If Mitigated
With proper access controls and monitoring, the impact is limited to detection and containment of unauthorized privilege escalation attempts.
🎯 Exploit Status
Exploitation requires authenticated access with specific write permissions. The vulnerability is in the identity endpoint logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vault Community Edition 1.20.0, Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.16.22
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032
Restart Required: Yes
Instructions:
1. Backup Vault configuration and data. 2. Download patched version from HashiCorp releases. 3. Stop Vault service. 4. Replace binary with patched version. 5. Restart Vault service. 6. Verify version and functionality.
🔧 Temporary Workarounds
Restrict Identity Endpoint Permissions
allRemove write permissions to the root namespace's identity endpoint from operators who don't absolutely need them.
vault policy write restricted-operator <policy-file.hcl>
🧯 If You Can't Patch
- Implement strict access controls to limit who has write permissions to root namespace identity endpoints
- Enhance monitoring and alerting for privilege escalation attempts and unusual identity endpoint activity
🔍 How to Verify
Check if Vulnerable:
Check Vault version and verify if operators have write permissions to root namespace identity endpointsCheck Version:
vault versionVerify Fix Applied:
Confirm Vault version is patched and test that privilege escalation attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual identity endpoint write operations
- Privilege escalation attempts
- Token policy modifications to root
Network Indicators:
- Increased API calls to identity endpoints from operator accounts
SIEM Query:
source="vault" AND ("identity/" AND "write") AND user_role="operator"