CVE-2025-6000: 
HashiCorp Vault vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-6000) was discovered in HashiCorp Vault that affects versions from 0.8.0 up to 1.20.0 for Community Edition and Enterprise editions. The vulnerability allows a privileged Vault operator within the root namespace with write permission to sys/audit to obtain code execution on the underlying host if a plugin directory is set in Vault's configuration. This vulnerability was disclosed on August 1, 2025, and has been assigned a CVSS v3.1 score of 9.1 (Critical) (HashiCorp Discussion, NVD).

The vulnerability stems from the ability of a malicious operator with write permissions to the sys/audit endpoint to write arbitrary files to disk using Vault's file audit device. When combined with plugin registration and usage, this functionality can be exploited to execute arbitrary code on the underlying host. While the SHA256 digest of the file is required for execution and audit devices have a per-device HMAC key, attackers can potentially reproduce audit file contents and compute the hash using sys/audit-hash. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (HashiCorp Discussion).

The vulnerability enables privileged attackers to achieve code execution on the underlying host system, potentially compromising the entire Vault infrastructure. This could lead to unauthorized access to sensitive data, system manipulation, and potential lateral movement within the infrastructure. The high CVSS score of 9.1 reflects the critical nature of this vulnerability (NVD).

HashiCorp has released patches in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The fixes include disabling the prefix option by default for new Audit devices and requiring AllowAuditLogPrefixing to be set to true in Vault's configuration. Additionally, audit logs destination can no longer be set to the plugin directory (HashiCorp Discussion).