CVSS Score: 9.1 Published: 2025-08-09 Full Report: https://cvereports.com/reports/CVE-2025-54997
OpenBao and HashiCorp Vault, the literal Fort Knoxes of the DevOps world, suffered a catastrophic logic flaw in their audit subsystems. By abusing the ability to configure audit devices via API, privileged attackers could trick the system into writing malicious code directly to the host filesystem.
A high-privilege RCE vulnerability (CVSS 9.1) allows operators to turn the audit logging system into an arbitrary file write primitive. By pointing a 'file' audit device at a sensitive path (like /etc/cron.d) and injecting a malicious 'prefix', attackers can execute code as the Vault/OpenBao service user. The fix involves disabling API-based audit configuration entirely.
- CWE ID: CWE-94
- Attack Vector: Network (API)
- CVSS Score: 9.1 (Critical)
- Privileges Required: High (Audit Write)
- Impact: Remote Code Execution (RCE)
- Exploit Status: Conceptual / Weaponizable
- OpenBao (versions < 2.3.2)
- HashiCorp Vault Community Edition (versions < 1.20.1)
- HashiCorp Vault Enterprise (versions < 1.20.1)
- OpenBao: < 2.3.2 (Fixed in:
2.3.2) - Vault Community Edition: < 1.20.1 (Fixed in:
1.20.1) - Vault Enterprise: < 1.19.7 (Fixed in:
1.19.7)
- Disable API-based audit device creation
- Run OpenBao/Vault as a low-privileged user
- Use SELinux/AppArmor to restrict file writes
- Monitor audit logs for suspicious prefixes
Remediation Steps:
- Upgrade OpenBao to v2.3.2 or HashiCorp Vault to v1.20.1.
- Update server configuration (
config.hcl) to define audit devices statically. - Verify
unsafe_allow_api_audit_creationis set tofalse(default). - Verify
allow_audit_log_prefixingis set tofalse(default).
Generated by CVEReports - Automated Vulnerability Intelligence