Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical RCE vulnerability in HashiCorp Vault, Patch Immediately!
Image
Published : 11/08/2025
- Last update: 11/08/2025
- Affected software:
→ HashiCorp Vault and Vault Enterprise < 1.20.2, 1.19.8, 1.18.13, and 1.16.24- Type:
→ CWE-94 - Improper Control of Generation of Code ('Code Injection')
→ CWE-266 - Incorrect Privilege Assignment
→ CWE-295 - Improper Certificate Validation
→ CWE-307 - Improper Restriction of Excessive Authentication Attempts
→ CWE-863 - Incorrect Authorization
→ CWE-203 - Observable Discrepancy- CVE/CVSS
→ CVE-2025-6000: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-5999: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-6037: CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
→ CVE-2025-6004: CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
→ CVE-2025-6003: CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
→ CVE-2025-6011: CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Sources
Risks
HashiCorp Vault is a secrets management and data protection platform used to securely store and access sensitive credentials, tokens, and encryption keys across distributed systems. Security researchers uncovered a chain of zero-day vulnerabilities in HashiCorp Vault, culminating in a critical RCE flaw tracked as CVE-2025-6000.
Exploiting these vulnerabilities could allow attackers to execute arbitrary code on Vault servers, bypass authentication mechanisms, escalate privileges and impersonate users via forged certificates. This could result in full compromise of the secrets infrastructure, enabling attackers to extract sensitive credentials, deploy ransomware, and move laterally across systems.
Such exploitation threatens the Confidentiality of stored secrets, the Integrity of access controls and authentication mechanisms, and the Availability of Vault services in production environments.
Description
CVE-2025-6000 is a critical remote code execution vulnerability that allows a privileged Vault operator to exploit the audit logging endpoint and execute arbitrary code on the host system when a plugin directory is configured. This could result in full system compromise, data theft, denial of service, or malware installation.
CVE-2025-5999 is a high-severity privilege escalation vulnerability that allows a privileged Vault operator to manipulate identity endpoint permissions and escalate token privileges to the root policy. This could result in full administrative control, unauthorized access to secrets, and compromise of Vault’s confidentiality, integrity, and availability.
CVE-2025-6037 is a medium-severity authentication bypass vulnerability that allows an unauthenticated attacker to craft malicious TLS certificates and impersonate users when Vault is configured with a non-CA trusted certificate. This could lead to unauthorized access, privilege escalation, and compromise of Vault’s confidentiality, integrity, and availability.
CVE-2025-6004 is a medium-severity authentication bypass vulnerability that allows an unauthenticated attacker to circumvent Vault’s user lockout protections for Userpass and LDAP methods. This could enable brute-force attacks, unauthorized access, and full compromise of sensitive secrets and configurations.
CVE-2025-6011 is a low-severity information disclosure vulnerability that allows an unauthenticated attacker to exploit a timing side channel in Vault’s Userpass authentication method to enumerate valid usernames. This could facilitate targeted brute-force attacks and unauthorized access to sensitive secrets.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.