Zero-Day Vulnerabilities in HashiCorp Vault Allow Attackers to Execute Code Remotely

In early August 2025, security researchers uncovered a series of critical zero-day vulnerabilities in HashiCorp Vault, a widely adopted secrets management solution. These vulnerabilities, which include authentication bypasses, policy enforcement inconsistencies, and audit-log abuse, create end-to-end attack paths that can lead to remote code execution (RCE) on Vault servers. Initial findings from manual code reviews of Vault’s request routing and plugin interfaces revealed stealthy logic mismatches rather than traditional memory corruption exploits. As organisations increasingly depend on Vault to protect API keys, certificates, and encryption keys in multi-cloud environments, the revelation of these flaws has sent shockwaves through the cybersecurity community. Analysts from CYATA noted that some vulnerabilities had persisted for nearly a decade, quietly embedded in core authentication flows and only recently exposed through meticulous manual auditing.

The implications of these vulnerabilities extend beyond mere proof-of-concept exploits. Attackers can chain these issues to bypass lockout protections in userpass and LDAP backends, evade TOTP MFA constraints, impersonate machine identities via certificate authentication, and escalate privileges from admin tokens to root. The technique for remote code execution is unprecedented in Vault’s history. Instead of exploiting buffer overflows, adversaries leverage the plaintext audit logs to inject a crafted shell payload into Vault’s plugin directory. By configuring an audit backend with a custom prefix containing a shebang and Bash commands, attackers can manipulate Vault into writing executable scripts. The retrieval of the exact payload via a TCP-stream audit backend allows for the computation of a matching SHA256 hash, which satisfies Vault’s plugin registration requirements and triggers code execution. Organisations are urged to upgrade immediately to patched versions released alongside responsible disclosure. HashiCorp has issued advisory updates addressing all nine CVEs, reinforcing normalisation routines and tightening policy checks. The coordinated response between CYATA and HashiCorp exemplifies effective vulnerability management while highlighting the necessity for deep logic validation alongside standard fuzzing and penetration testing.

Zero-Day Vulnerabilities in HashiCorp Vault Allow Attackers to Execute Code Remotely

A vulnerability chain in NVIDIA Triton has the potential to allow attackers to gain control over AI servers.

Trend Micro has verified that critical vulnerabilities in Apex One on-premise systems are being actively exploited.

A significant remote code execution vulnerability in Trend Micro Apex One Management is currently being actively exploited in real-world scenarios.

Vulnerabilities in CyberArk Conjur have led to the exposure of sensitive enterprise information.

Cybercriminals have the ability to access IIS machine keys by taking advantage of a vulnerability in SharePoint’s deserialization process.

Weaknesses in Rockwell Arena Simulation allow attackers to run harmful code from a distance.

Similar Posts