CVE-2025-6000

CRITICAL LAB

Vault <1.20.1 - Code Injection

Title source: llm

Description

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-6000

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033

Scores

CVSS v3 9.1

EPSS 0.0020

EPSS Percentile 42.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Lab Environment

EIP LAB

vulnerable docker pull ghcr.io/exploitintel/cve-2025-6000-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-94

Status published

Products (4)

hashicorp/vault 1.20.0

hashicorp/vault 0.8.0 - 1.16.23

hashicorp/vault 0.8.0 - 1.20.1

hashicorp/vault 0.8.0 - 1.20.1Go

Published Aug 01, 2025

Tracked Since Feb 18, 2026