CVSS Score: 7.2 Published: 2025-08-01 Full Report: https://cvereports.com/reports/CVE-2025-6000
A critical privilege escalation vulnerability in HashiCorp Vault allows privileged operators to achieve Remote Code Execution (RCE) on the host system. By abusing the File Audit Device and Plugin System, an attacker can write executable audit logs to the plugin directory and execute them.
If you have a root token (or 'sys/audit' write privs) in Vault, you can trick the audit logger into writing a binary payload to the plugin directory and executing it. This breaks the boundary between the Vault application and the underlying host OS, allowing a complete container escape or host compromise.
- Attack Vector: Network (Authenticated)
- CVSS v3.1: 7.2 (High)
- CWE: CWE-73 (External Control of File Name or Path)
- Privileges Required: High (Audit Write)
- Exploit Status: PoC Available / Weaponized
- Impact: Remote Code Execution (RCE)
- HashiCorp Vault Community Edition < 1.20.1
- HashiCorp Vault Enterprise < 1.20.1
- Vault: >= 0.8.0, < 1.16.23 (Fixed in:
1.16.23) - Vault: >= 1.17.0, < 1.18.12 (Fixed in:
1.18.12) - Vault: >= 1.19.0, < 1.19.7 (Fixed in:
1.19.7) - Vault: >= 1.20.0, < 1.20.1 (Fixed in:
1.20.1)
- Upgrade to Vault 1.20.1, 1.19.7, or 1.18.12 immediately.
- Restrict the
plugin_directoryfilesystem permissions so the Vault user cannot write to it. - Disable the file audit device in favor of
syslogorsocketaudit devices where possible. - Monitor
sys/auditlogs formodechanges or paths pointing to sensitive directories.
Remediation Steps:
- Assess current Vault version via
vault status. - Download the patched binary from HashiCorp releases.
- Replace the binary and restart the Vault service.
- Verify that
AllowAuditLogPrefixingis false (default in new versions).
Generated by CVEReports - Automated Vulnerability Intelligence