CVE-2025-6000
📋 TL;DR
A privileged Vault operator with write permission to the sys/audit endpoint can execute arbitrary code on the underlying host when Vault is configured with a plugin directory. This affects HashiCorp Vault installations where privileged operators exist and plugin directories are configured.
💻 Affected Systems
- HashiCorp Vault Community Edition
- HashiCorp Vault Enterprise
📦 What is this software?
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Vault host leading to credential theft, data exfiltration, and lateral movement within the infrastructure.
Likely Case
Privileged operator abuses legitimate access to execute malicious code, potentially stealing secrets or disrupting operations.
If Mitigated
Limited impact due to strict access controls, monitoring, and separation of duties preventing unauthorized sys/audit writes.
🎯 Exploit Status
Exploitation requires authenticated privileged access and specific configuration conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vault Community Edition 1.20.1, Vault Enterprise 1.20.1, 1.19.7, 1.18.12, 1.16.23
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
Restart Required: Yes
Instructions:
1. Backup Vault data and configuration. 2. Stop Vault service. 3. Upgrade to patched version. 4. Restart Vault service. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict sys/audit Write Permissions
allRemove write permissions to sys/audit from all operators except absolutely necessary administrative roles.
vault policy write restricted-audit-policy restricted-audit.hcl
Remove Plugin Directory Configuration
allIf plugin functionality is not required, remove plugin_directory configuration from Vault.
🧯 If You Can't Patch
- Implement strict least-privilege access controls for sys/audit endpoint
- Enable detailed audit logging and monitor for suspicious sys/audit write attempts
🔍 How to Verify
Check if Vulnerable:
Check Vault version and configuration for plugin_directory setting. Vulnerable if version is before patched versions AND plugin_directory is configured.Check Version:
vault versionVerify Fix Applied:
Confirm Vault version is 1.20.1, 1.19.7, 1.18.12, or 1.16.23 using vault version command.📡 Detection & Monitoring
Log Indicators:
- Unusual write operations to sys/audit endpoint
- Unexpected plugin loading or execution
Network Indicators:
- Unusual outbound connections from Vault host following sys/audit writes
SIEM Query:
source="vault_audit" AND (endpoint="/v1/sys/audit" OR operation="write")