CVE-2025-6000

CriticalRCE

Published: 01 August 2025

Published

01 August 2025

Modified

13 August 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0024 46.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6000 is a critical-severity Code Injection (CWE-94) vulnerability in Hashicorp Vault. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the code injection vulnerability by requiring timely installation of patches released in Vault 1.20.1 and equivalent Enterprise versions.

AC-6 Least Privilege good match

prevent

Prevents exploitation by enforcing least privilege to deny unnecessary write access to the sensitive {{sys/audit}} path for Vault operators.

CM-7 Least Functionality good match

prevent

Blocks the vulnerability precondition by restricting Vault to least functionality, such as disabling unnecessary plugin directory configuration.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Code injection in Vault directly enables remote exploitation of a network-accessible application (T1190) leading to arbitrary command execution on the host (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1,…

1.19.7, 1.18.12, and 1.16.23.

Deeper analysisAI

CVE-2025-6000 is a code injection vulnerability (CWE-94) affecting HashiCorp Vault, a secrets management tool. It allows a privileged Vault operator within the root namespace who has write permission to the {{sys/audit}} path to achieve arbitrary code execution on the underlying host, provided a plugin directory is configured in Vault's settings. The issue has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2025-08-01.

An attacker must possess high privileges as a Vault operator in the root namespace with write access to {{sys/audit}}. Exploitation requires a plugin directory to be set in the Vault configuration, enabling the operator to inject and execute malicious code directly on the host operating system, potentially leading to full compromise of the Vault host.

HashiCorp's security advisory (HCSEC-2025-14) details the fix, available in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Security practitioners should upgrade to these patched releases and review configurations to ensure plugin directories are not unnecessarily enabled or accessible.