CVE-2025-54997
The Janitor's Key: Turning OpenBao Audit Logs into RCE
Alon Barad
Software EngineerJan 1, 2026·6 min read·103 visits
Executive Summary (TL;DR)
A high-privilege RCE vulnerability (CVSS 9.1) allows operators to turn the audit logging system into an arbitrary file write primitive. By pointing a 'file' audit device at a sensitive path (like `/etc/cron.d`) and injecting a malicious 'prefix', attackers can execute code as the Vault/OpenBao service user. The fix involves disabling API-based audit configuration entirely.
OpenBao and HashiCorp Vault, the literal Fort Knoxes of the DevOps world, suffered a catastrophic logic flaw in their audit subsystems. By abusing the ability to configure audit devices via API, privileged attackers could trick the system into writing malicious code directly to the host filesystem.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
9.1/ 10
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HEPSS Probability
0.12%
Top 35% most exploited
Affected Systems
OpenBao (versions < 2.3.2)HashiCorp Vault Community Edition (versions < 1.20.1)HashiCorp Vault Enterprise (versions < 1.20.1)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenBao OpenBao | < 2.3.2 | 2.3.2 |
Vault Community Edition HashiCorp | < 1.20.1 | 1.20.1 |
Vault Enterprise HashiCorp | < 1.19.7 | 1.19.7 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-94 |
| Attack Vector | Network (API) |
| CVSS Score | 9.1 (Critical) |
| Privileges Required | High (Audit Write) |
| Impact | Remote Code Execution (RCE) |
| Exploit Status | Conceptual / Weaponizable |
MITRE ATT&CK Mapping
CWE-94
Code Injection
Improper Control of Generation of Code ('Code Injection')
Known Exploits & Detection
Vulnerability Timeline
Patch released in OpenBao v2.3.2
2025-01-15
Patch released in HashiCorp Vault v1.20.1
2025-01-15
