CVE-2025-6000
7.20.03%
Vaulted Severance: Turning Audit Logs into Remote Shells
Amit Schendel
Senior Security ResearcherJan 1, 2026·5 min read·7 visits
Weaponized
Executive Summary (TL;DR)
If you have a root token (or 'sys/audit' write privs) in Vault, you can trick the audit logger into writing a binary payload to the plugin directory and executing it. This breaks the boundary between the Vault application and the underlying host OS, allowing a complete container escape or host compromise.
A critical privilege escalation vulnerability in HashiCorp Vault allows privileged operators to achieve Remote Code Execution (RCE) on the host system. By abusing the File Audit Device and Plugin System, an attacker can write executable audit logs to the plugin directory and execute them.
Official Patches
Technical Appendix
CVSS Score
7.2/ 10
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HEPSS Probability
0.03%
Top 88% most exploited
Affected Systems
HashiCorp Vault Community Edition < 1.20.1HashiCorp Vault Enterprise < 1.20.1
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Vault HashiCorp | >= 0.8.0, < 1.16.23 | 1.16.23 |
Vault HashiCorp | >= 1.17.0, < 1.18.12 | 1.18.12 |
Vault HashiCorp | >= 1.19.0, < 1.19.7 | 1.19.7 |
Vault HashiCorp | >= 1.20.0, < 1.20.1 | 1.20.1 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (Authenticated) |
| CVSS v3.1 | 7.2 (High) |
| CWE | CWE-73 (External Control of File Name or Path) |
| Privileges Required | High (Audit Write) |
| Exploit Status | PoC Available / Weaponized |
| Impact | Remote Code Execution (RCE) |
MITRE ATT&CK Mapping
CWE-73
External Control of File Name or Path
The software allows user input to control or influence paths used in filesystem operations, allowing attackers to access or modify unintended files.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability Disclosed by HashiCorp
2025-01-14
Fixed Versions Released
2025-01-14
OuttieFinder Detection Tool Released
2025-01-15