CyberArk and HashiCorp Flaws Enable Remote Vault Takeover Without Credentials - The Hacker News

CyberArk and HashiCorp Flaws Enable Remote Vault Takeover Without Credentials Ravie LakshmananAug 09, 2025Vulnerability / Enterprise Security Cybersecurity researchers have discovered over a dozen vulnerabilities in enterprise secure vaults from CyberArk and HashiCorp that, if successfully exploited, can allow remote attackers to crack open corporate identity systems and extract enterprise secrets and tokens from them.  The 14 vulnerabilities, collectively named Vault Fault, affect CyberArk Secrets Manager, Self-Hosted, and Conjur Open Source and HashiCorp Vault, according to a report from an identity security firm Cyata. Following responsible disclosure in May 2025, the flaws have been addressed in the following versions - CyberArk Secrets Manager and Self-Hosted 13.5.1 and 13.6.1 CyberArk Conjur Open Source 1.22.1 HashiCorp Vault Community Edition 1.20.2 or Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24 These include authentication bypasses, impersonation, privilege escalation bugs, code execution pathways, and root token theft. The most severe of the issues allows for remote code execution, allowing attackers to takeover the vault under certain conditions without any valid credentials - CVE-2025-49827 (CVSS score: 9.1) - Bypass of IAM authenticator in CyberArk Secrets Manager CVE-2025-49831 (CVSS score: 9.1) - Bypass of IAM authenticator in CyberArk Secrets Manager via a misconfigured network device CVE-2025-49828 (CVSS score: 8.6) - Remote code execution in CyberArk Secrets Manager  CVE-2025-6000 (CVSS score: 9.1) - Arbitrary remote code execution via plugin catalog abuse in HashiCorp Vault CVE-2025-5999 (CVSS score: 7.2) - Privilege escalation to root via policy normalization in HashiCorp Vault In addition, vulnerabilities have also been discovered in HashiCorp Vault's lockout protection logic, which is designed to throttle brute-force attempts, that could permit an attacker to infer which usernames are valid by taking advantage of a timing-based side channel and even reset the lockout counter by changing the case of a known username (e.g., admin to Admin). Two other shortcomings identified by the Israeli company made it possible to weaken lockout enforcement and bypass multi-factor authentication (MFA) controls when username_as_alias=true in the LDAP auth configuration and MFA enforcement is applied at the EntityID or IdentityGroup level. In the attack chain detailed by the cybersecurity company, it's possible to leverage a certificate entity impersonation issue (CVE-2025-6037) with CVE-2025-5999 and CVE-2025-6000 to break the authentication layer, escalate privileges, and achieve code execution. CVE-2025-6037 and CVE-2025-6000 are said to have existed for over eight and nine years, respectively. Armed with this capability, a threat actor could further weaponize the access to delete the "core/hsm/_barrier-unseal-keys" file, effectively turning a security feature into a ransomware vector. What's more, the Control Group feature can be undermined to send HTTP requests and receive responses without being audited, creating a stealthy communication channel. "This research shows how authentication, policy enforcement, and plugin execution can all be subverted through logic bugs, without touching memory, triggering crashes, or breaking cryptography," security researcher Yarden Porat said. In a similar vein, the vulnerabilities discovered in CyberArk Secrets Manager/Conjur allow for authentication bypass, privilege escalation, information disclosure, and arbitrary code execution, effectively opening the door to a scenario where an attacker can craft an exploit chain to obtain unauthenticated access and run arbitrary commands. The attack sequence unfolds as follows - IAM authentication bypass by forging valid-looking GetCallerIdentity responses Authenticate as a policy resource Abuse the Host Factory endpoint to create a new host that impersonates a valid policy template Assigned a malicious Embedded Ruby (ERB) payload directly to the host Trigger the execution of the attached ERB by invoking the Policy Factory endpoint "This exploit chain moved from unauthenticated access to full remote code execution without ever supplying a password, token, or AWS credentials," Porat noted. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CyberArk, cybersecurity, data breach, Dell, enterprise security, firmware, HashiCorp, Identity Security, privilege escalation, remote code execution, Vulnerability Trending News Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026