BIT-vault-2025-6000
Code Execution Vulnerability vulnerability in vault (Go)
What is BIT-vault-2025-6000 About?
This vulnerability in Hashicorp Vault allows for remote code execution through the plugin configuration. It can lead to complete system compromise, making it a critical threat. The exploit complexity would likely depend on the specific configuration and plugin used.
Affected Software
Technical Details
The Hashicorp Vault product is susceptible to a Code Execution Vulnerability when mishandling plugin configurations. An attacker could craft a malicious plugin configuration that, when processed or loaded by Vault, would result in the arbitrary execution of code on the underlying system where Vault is running. This exploit path leverages the trust Vault places in its plugins and their configuration parameters, allowing an attacker to inject and execute unauthorized commands or scripts.
What is the Impact of BIT-vault-2025-6000?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the Vault process, leading to full system compromise, data exfiltration, system integrity loss, and denial of service.
What is the Exploitability of BIT-vault-2025-6000?
Exploitation of this vulnerability would likely require specific knowledge of Hashicorp Vault's plugin configuration mechanisms and potentially authenticated access or the ability to manipulate configuration files. The complexity could range from moderate to high depending on the specific attack vector, such as configuration file injection or a compromised plugin registry. Remote access is possible if the configuration can be manipulated remotely, otherwise, local access or prior compromise may be needed. No special conditions are explicitly mentioned, but the presence of vulnerable plugin configurations increases the likelihood. Privilege requirements would depend on whether administrative access is needed to modify plugin configurations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-vault-2025-6000?
Available Upgrade Options
- github.com/hashicorp/vault
- >0.8.0, <1.20.1 → Upgrade to 1.20.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-mr4h-qf9j-f665
- https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
- https://github.com/hashicorp/vault
- https://nvd.nist.gov/vuln/detail/CVE-2025-6000
- https://github.com/advisories/GHSA-mr4h-qf9j-f665
- https://osv.dev/vulnerability/GO-2025-3838
- https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
What are Similar Vulnerabilities to BIT-vault-2025-6000?
Similar Vulnerabilities: CVE-2021-41277 , CVE-2022-26134 , CVE-2023-28432 , CVE-2020-11022 , CVE-2020-11979
