A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
History

Mon, 04 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 04 Aug 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp vault
Hashicorp vault Enterprise
Vendors & Products Hashicorp
Hashicorp vault
Hashicorp vault Enterprise

Fri, 01 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 01 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
Description A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Title Arbitrary Remote Code Execution via Plugin Catalog Abuse
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2025-08-01T17:40:48.524Z

Updated: 2025-08-01T18:12:02.883Z

Reserved: 2025-06-11T14:38:13.583Z

Link: CVE-2025-6000

cve-icon Vulnrichment

Updated: 2025-08-01T18:11:58.841Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-01T18:15:56.423

Modified: 2025-08-04T15:06:15.833

Link: CVE-2025-6000

cve-icon Redhat

Severity : Important

Publid Date: 2025-08-01T17:40:48Z

Links: CVE-2025-6000 - Bugzilla