HashiCorp Vault CVE-2025-6000: Brief Summary of Critical Code Execution Vulnerability

This post provides a brief summary of CVE-2025-6000, a critical code execution vulnerability in HashiCorp Vault. We cover the technical mechanism, affected versions, patch details, and vendor security history based on available public sources.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-01

HashiCorp Vault CVE-2025-6000: Brief Summary of Critical Code Execution Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A privileged Vault operator can achieve host-level code execution if certain configuration conditions are met. This vulnerability affects a core component of secrets management infrastructure and has a direct impact on the security of credentials, certificates, and sensitive data managed by HashiCorp Vault.

HashiCorp is a leading provider of infrastructure automation and security products. Vault is their flagship secrets management solution, widely used in enterprise environments for managing sensitive data and cryptographic material. Vault's adoption spans thousands of organizations, making vulnerabilities in its core components highly impactful across the technology industry.

Technical Information

CVE-2025-6000 arises from a flaw in the way HashiCorp Vault handles audit device configuration, specifically when a plugin directory is set in the Vault configuration. If a privileged operator in the root namespace has write access to the sys/audit endpoint, they can manipulate audit device settings to achieve arbitrary code execution on the underlying host.

The vulnerability is rooted in improper control of code generation and execution (CWE-94). The attack leverages the audit plugin mechanism, which allows Vault to load external plugins for extended audit functionality. When the plugin directory is configured, the operator can exploit the audit device's configuration options to write or overwrite files in the plugin directory, leading to execution of attacker-controlled code.

Key technical conditions for exploitation:

  • The attacker must have privileged operator access in the root namespace
  • Write permission to sys/audit is required
  • The Vault server must have a plugin directory configured

Once these conditions are met, the attacker can use the audit device configuration to introduce malicious code into the plugin directory and trigger its execution, escalating their privileges from Vault administrator to full system access.

Patch Information

To address the vulnerability where a privileged Vault operator could execute code on the underlying host, HashiCorp implemented several key changes in Vault version 1.20.1 and subsequent releases:

  1. Disabling the prefix Option by Default: The prefix option in audit devices, which allowed specifying a per-line prefix in audit logs, is now disabled by default for any new audit device. This change prevents unauthorized manipulation of audit logs that could lead to code execution.

  2. Introducing the AllowAuditLogPrefixing Configuration: To enable the prefix option, administrators must now explicitly set the AllowAuditLogPrefixing parameter to true in Vault's configuration file. This additional step ensures that enabling this feature is a deliberate action, reducing the risk of unintended exploitation.

  3. Restricting Audit Log Destinations: Vault now enforces a restriction that prevents audit logs from being written to the plugin directory. This measure eliminates the possibility of overwriting or creating files in locations that could be used to execute arbitrary code.

These updates collectively enhance the security posture of Vault by mitigating the risk associated with the identified vulnerability. Administrators are encouraged to review their configurations and apply these updates to ensure their systems are protected.

Patch sources:

Affected Systems and Versions

  • HashiCorp Vault Community Edition prior to 1.20.1
  • HashiCorp Vault Enterprise prior to 1.20.1, 1.19.7, 1.18.12, and 1.16.23
  • Only vulnerable if a plugin directory is configured in Vault's configuration
  • Exploitable by privileged operators in the root namespace with write access to sys/audit

Vendor Security History

HashiCorp has a history of addressing security issues in Vault with rapid patch releases and transparent advisories. Notable recent vulnerabilities include:

  • CVE-2024-9180: Privilege escalation via the identity endpoint
  • CVE-2025-4656: Denial of service in recovery key cancellation
  • CVE-2025-4166: Information disclosure in audit logs

HashiCorp maintains a mature vulnerability management process, with clear communication channels and regular security updates.

References

Detect & fix
what others miss