HashiCorp Vault 0-Day Flaws Enable Remote Code Execution Attacks

Researchers at Cyata have disclosed nine previously unknown zero-day vulnerabilities in HashiCorp Vault, a widely adopted open-source secrets management platform, enabling attackers to bypass authentication, escalate privileges, and achieve remote code execution (RCE).

These flaws, assigned CVEs through responsible disclosure and patched in collaboration with HashiCorp, stem from subtle logic errors in core components like authentication backends, multi-factor authentication (MFA) enforcement, policy normalization, and plugin handling.

Affecting both open-source and enterprise editions, the vulnerabilities highlight systemic weaknesses in Vault’s trust model, where misconfigurations amplify risks, potentially leading to infrastructure-wide compromise.

Expose Secrets Management Tool

The issues span multiple authentication methods, starting with the userpass backend, where CVE-2025-6004 allows lockout bypass via username case permutations, resetting failure counters and facilitating brute-force attacks.

Similarly, CVE-2025-6011 introduces timing-based username enumeration through inconsistent bcrypt hash comparisons, leaking valid user existence.

In LDAP integrations, CVE-2025-6004 exploits input normalization mismatches between ...