CVE-2025-6000

CRITICAL LAB

HashiCorp Vault 0.8.0-1.16.22, 1.17.0-1.19.6, 1.20.0 - Authenticated RCE via Plugin Directory

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-6000. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2025-6000, a critical code injection vulnerability in HashiCorp Vault. The exploit leverages missing security controls in the file audit backend to achieve arbitrary code execution by injecting a shell script payload via the audit log prefix.

Description

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-6000

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2025-6000, a critical code injection vulnerability in HashiCorp Vault. The exploit leverages missing security controls in the file audit backend to achieve arbitrary code execution by injecting a shell script payload via the audit log prefix.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: HashiCorp Vault 0.8.0 - 1.20.0

Auth required

Prerequisites: root namespace operator privileges · network access to Vault instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 04, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033

Scores

CVSS v3 9.1

EPSS 0.0059

EPSS Percentile 69.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

EIP LAB

vulnerable docker pull ghcr.io/exploitintel/cve-2025-6000-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-94

Status published

Products (4)

hashicorp/vault 1.20.0

hashicorp/vault 0.8.0 - 1.16.23

hashicorp/vault 0.8.0 - 1.20.1

hashicorp/vault 0.8.0 - 1.20.1Go

Published Aug 01, 2025

Tracked Since Feb 18, 2026