DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-54997: The Janitor's Key: Turning OpenBao Audit Logs into RCE

#security #cve #cybersecurity

The Janitor's Key: Turning OpenBao Audit Logs into RCE

Vulnerability ID: CVE-2025-54997
CVSS Score: 9.1
Published: 2025-08-09

OpenBao and HashiCorp Vault, the literal Fort Knoxes of the DevOps world, suffered a catastrophic logic flaw in their audit subsystems. By abusing the ability to configure audit devices via API, privileged attackers could trick the system into writing malicious code directly to the host filesystem.

TL;DR

A high-privilege RCE vulnerability (CVSS 9.1) allows operators to turn the audit logging system into an arbitrary file write primitive. By pointing a 'file' audit device at a sensitive path (like /etc/cron.d) and injecting a malicious 'prefix', attackers can execute code as the Vault/OpenBao service user. The fix involves disabling API-based audit configuration entirely.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94
  • Attack Vector: Network (API)
  • CVSS Score: 9.1 (Critical)
  • Privileges Required: High (Audit Write)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Conceptual / Weaponizable

Affected Systems

  • OpenBao (versions < 2.3.2)
  • HashiCorp Vault Community Edition (versions < 1.20.1)
  • HashiCorp Vault Enterprise (versions < 1.20.1)
  • OpenBao: < 2.3.2 (Fixed in: 2.3.2)
  • Vault Community Edition: < 1.20.1 (Fixed in: 1.20.1)
  • Vault Enterprise: < 1.19.7 (Fixed in: 1.19.7)

Code Analysis

Commit: 3d1c232

Restrict audit device creation via API and disable prefixing

func (b *SystemBackend) handleAuditEnable(...) {
+ conf := b.Core.rawConfig.Load().(*server.Config)
+ if !conf.UnsafeAllowAPIAuditCreation {
+     return handleError(fmt.Errorf("cannot enable audit device via API"))
+ }
}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Exploit logic derived from patch analysis (reverse engineering configuration flags)

Mitigation Strategies

  • Disable API-based audit device creation
  • Run OpenBao/Vault as a low-privileged user
  • Use SELinux/AppArmor to restrict file writes
  • Monitor audit logs for suspicious prefixes

Remediation Steps:

  1. Upgrade OpenBao to v2.3.2 or HashiCorp Vault to v1.20.1.
  2. Update server configuration (config.hcl) to define audit devices statically.
  3. Verify unsafe_allow_api_audit_creation is set to false (default).
  4. Verify allow_audit_log_prefixing is set to false (default).

References

Read the full report for CVE-2025-54997 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)