A significant vulnerability in HashiCorp has been identified, allowing attackers to run arbitrary code on the underlying host system.

A critical security vulnerability, tracked as CVE-2025-6000, has been identified in HashiCorp Vault, affecting both Community Edition and Enterprise versions from 0.8.0 to 1.20.0. This vulnerability allows privileged Vault operators to execute arbitrary code on the underlying host systems, posing a significant risk to organisations using these versions. Discovered by Yarden Porat of Cyata Security and reported through responsible disclosure practices on August 1, 2025, the flaw arises from a design issue in Vault’s audit device functionality. Specifically, it enables malicious operators with write permissions to the sys/audit endpoint to exploit the file audit device mechanism, leading to potential privilege escalation rather than an external attack vector.

The exploitation pathway involves leveraging Vault’s file audit device to write arbitrary files to disk locations, which, when combined with plugin registration capabilities, creates a pathway for arbitrary code execution. To mitigate this risk, HashiCorp has implemented several security controls, including disabling the prefix option for new audit devices by default and preventing audit log destinations from targeting plugin directories. Organisations are urged to upgrade to the fixed versions immediately to protect against this critical vulnerability, which has a CVSS 3.1 score of 9.1. The affected versions include Vault Community Edition and Enterprise from 0.8.0 through 1.20.0, with specific versions also listed for Enterprise.