CyberArk and HashiCorp Vulnerabilities Allow Remote Vault Takeover Without Credentials

ByAdmin

Cybersecurity researchers have identified over a dozen vulnerabilities in enterprise secure vaults from CyberArk and HashiCorp, collectively termed Vault Fault. These vulnerabilities, if exploited, could enable remote attackers to breach corporate identity systems and extract sensitive enterprise secrets and tokens. The 14 vulnerabilities affect CyberArk Secrets Manager, Self-Hosted, and Conjur Open Source, as well as HashiCorp Vault. Following responsible disclosure in May 2025, the flaws have been addressed in various versions, including CyberArk Secrets Manager and Self-Hosted 13.5.1 and 13.6.1, CyberArk Conjur Open Source 1.22.1, and HashiCorp Vault Community Edition 1.20.2 or Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24. The vulnerabilities encompass authentication bypasses, impersonation, privilege escalation bugs, code execution pathways, and root token theft.

Among the most critical issues is a remote code execution vulnerability that allows attackers to take over the vault without valid credentials. Specific vulnerabilities include CVE-2025-49827 and CVE-2025-49831, both with a CVSS score of 9.1, which involve bypassing the IAM authenticator in CyberArk Secrets Manager. Other notable vulnerabilities include CVE-2025-6000, which allows arbitrary remote code execution via plugin catalog abuse in HashiCorp Vault, and CVE-2025-5999, which enables privilege escalation to root. Additionally, flaws in HashiCorp Vault’s lockout protection logic could allow attackers to infer valid usernames and reset lockout counters. The research highlights a potential attack chain that could lead to privilege escalation and code execution, ultimately turning security features into ransomware vectors. 

Categories: Vulnerabilities, Remote Code Execution, Identity Security 

Tags: Vulnerabilities, CyberArk, HashiCorp, Vault, Authentication, Remote Code Execution, Privilege Escalation, Multi-Factor Authentication, Identity Systems, Security Features 

Leave a Reply

Your email address will not be published. Required fields are marked *