CVE-2025-6000: 
HashiCorp Vault vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-6000) was discovered in HashiCorp Vault that allows privileged Vault operators within the root namespace with write permission to {{sys/audit}} to potentially execute code on the underlying host when a plugin directory is set in Vault's configuration. The vulnerability affects Vault Community Edition versions from 0.8.0 up to 1.20.0 and Vault Enterprise versions from 0.8.0 up to 1.20.0, 1.19.6, 1.18.11, 1.16.22, and 1.15.15 (HashiCorp Discussion).

The vulnerability stems from the interaction between Vault's file audit device and plugin functionality. A malicious operator can exploit this by using the file audit device to write arbitrary files to disk, which when combined with plugin registration and usage, enables arbitrary code execution on the host system. While the exploitation requires a SHA256 digest of the file and audit devices have per-device HMAC keys, attackers can potentially reproduce audit file contents and compute the hash using the sys/audit-hash endpoint. The vulnerability has received a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability enables privileged Vault operators to execute arbitrary code on the underlying host system, potentially compromising the entire Vault infrastructure. This could lead to complete system compromise, data breaches, and unauthorized access to sensitive information stored within Vault (HashiCorp Discussion).

The vulnerability has been patched in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The fix includes disabling the prefix option by default for new Audit devices and requiring AllowAuditLogPrefixing to be explicitly set to true in Vault's configuration. Additionally, audit logs destination can no longer be set to the plugin directory (HashiCorp Discussion).