CVE-2025-6000: Vaulted Severance: Turning Audit Logs into Remote Shells

#security #cve #cybersecurity

Vaulted Severance: Turning Audit Logs into Remote Shells

Vulnerability ID: CVE-2025-6000
CVSS Score: 7.2
Published: 2025-08-01

A critical privilege escalation vulnerability in HashiCorp Vault allows privileged operators to achieve Remote Code Execution (RCE) on the host system. By abusing the File Audit Device and Plugin System, an attacker can write executable audit logs to the plugin directory and execute them.

TL;DR

If you have a root token (or 'sys/audit' write privs) in Vault, you can trick the audit logger into writing a binary payload to the plugin directory and executing it. This breaks the boundary between the Vault application and the underlying host OS, allowing a complete container escape or host compromise.

⚠️ Exploit Status: WEAPONIZED

Technical Details

Attack Vector: Network (Authenticated)
CVSS v3.1: 7.2 (High)
CWE: CWE-73 (External Control of File Name or Path)
Privileges Required: High (Audit Write)
Exploit Status: PoC Available / Weaponized
Impact: Remote Code Execution (RCE)

Affected Systems

HashiCorp Vault Community Edition < 1.20.1
HashiCorp Vault Enterprise < 1.20.1
Vault: >= 0.8.0, < 1.16.23 (Fixed in: 1.16.23)
Vault: >= 1.17.0, < 1.18.12 (Fixed in: 1.18.12)
Vault: >= 1.19.0, < 1.19.7 (Fixed in: 1.19.7)
Vault: >= 1.20.0, < 1.20.1 (Fixed in: 1.20.1)

Exploit Details

Cyata Security: OuttieFinder detection tool logic implies the exploit methodology.

Mitigation Strategies

Upgrade to Vault 1.20.1, 1.19.7, or 1.18.12 immediately.
Restrict the plugin_directory filesystem permissions so the Vault user cannot write to it.
Disable the file audit device in favor of syslog or socket audit devices where possible.
Monitor sys/audit logs for mode changes or paths pointing to sensitive directories.

Remediation Steps: