A Coordinated Disclosure by Cyata
Vaults are the backbone of enterprise trust. They secure the identities of all your users: humans, NHI, and now AI agents. But what happens when the vault itself becomes the vulnerability
Why Vaults Matter
– The Assumption
Enterprise vaults are a core element of identity and access. They store and protect credentials, tokens, certificates, and API keys – the secrets that secure your infrastructure and safeguard your most critical business assets. They shield the identifiers of all identities: human users, NHI and now AI agents.
They’re trusted by default, assumed to be secure by design.
At Cyata, we challenge these assumptions. We think differently.
We challenge the models and trust boundaries that most systems take for granted. Vault Fault is a result of that thinking. Our research shows:
– and how dangerous it is
Cyata researchers investigated real-world deployments of leading enterprise vaults including on-premises, cloud-hosted, and SaaS-based vaults, and found 14 high-severity zero-day weaknesses with catastrophic implications.
Among the findings were remote code execution (RCE) vulnerabilities in CyberArk Conjur and HashiCorp Vault that allow a full-blown takeover of the vault in some cases without any valid credentials.
Additional discoveries include – authentication bypasses, impersonation, privilege escalation bugs, code execution pathways, and root token theft.
Cyata disclosed these findings responsibly, coordinating with the vendors to issue CVEs and ensure patches were issued before public release. Our research was selected for presentation at Black Hat USA 2025.
Come Visit us at our Booth at BlackHat – Booth 6316 in the Startup City
List of published CVEs
HashiCorp Vault
-
CVE-2025-6000 (CVSS 9.1)
Arbitrary Remote Code Execution via Plugin Catalog Abuse
-
CVE-2025-5999 (CVSS 7.2)
Privilege Escalation to Root via Case Manipulation
-
CVE-2025-6004 (CVSS 5.3)
Userpass Lockout Bypass via Username Normalization and LDAP Lockout Bypass via Username Normalization
-
CVE-2025-6010 — Redacted (Pending Fix)
This CVE has been temporarily withheld from publication at the request of the vendor. No technical details will be shared at this time.
-
CVE-2025-6011 (CVSS 3.7)
Timing Side Channel in Userpass Authentication
-
CVE-2025-6011 (CVSS 3.7)
LDAP MFA enforcement Bypass
-
CVE-2025-6014 (CVSS 6.5)
TOTP Secret Engine – Reuse of “One-Time” Codes
-
CVE-2025-6016 ( CVSS 5.7)
TOTP MFA Code Enumeration and Bypass of Rate Limiting
-
CVE-2025-6037 (CVSS 6.8)
Certificate Authentication – Missing CommonName Validation
CyberArk Conjur
-
CVE-2025-49827 (CVSS 9.1)
Bypass of IAM Authenticator in Secrets Manager
-
CVE-2025-49831 (CVSS 9.1)
IAM Authenticator Bypass via Mis-configured Network Device in Secrets Manager
-
CVE-2025-49828 (CVSS 8.6)
Remote Code Execution in Secrets Manager
-
CVE-2025-49830 (CVSS 7.1)
Path traversal and file disclosure in Secrets Manager
-
CVE-2025-49829 (CVSS 6.0)
Missing validations in Secrets Manager, Self-Hosted
A compromised vault doesn’t stop at secrets –
it breaks your identity foundations.
Total vault takeover
Attackers gain root access to every stored secret – no MFA, no audit trail.
Locking you out
They rotate credentials and disable human, NHI and agentic accounts – you lose control instantly.
Owning identity flows
Authentication, authorization, and logging are hijacked. Your trust model collapses.
Lateral movement
They pivot across environments, escalate privileges, and compromise critical infrastructure.
Your vault might already be compromised. We’ll help you check.
We built a free, offline detection tool that scans for indicators of compromise in your HashiCorp Vault or Conjur deployment.
No agents. No telemetry. Just answers.
What you can do to secure your vault
Immediate
Update to the latest
version
of Vault and Conjur as soon as possible. This is the definitive fix.
Restrict network access
use firewalls, private networking, or proxy layers to limit exposure – especially if you can’t update right away.
Check vendor advisories
Review the latest mitigation guidance from HashiCorp and CyberArk for version-specific recommendations.
Ongoing Hardening
Simulate vault breach scenarios during red team exercises
Limit vault exposure using secure proxies and IP restrictions
Patch vaults proactively and track vendor advisories
Use short-lived, scoped credentials and enforce MFA
Monitor for anomalous vault behavior across CI/CD and cloud layers
Limit root credential use and apply least-privilege policies
Enable and monitor
audit logs
Stream logs to tamper-resistant SIEMs
Beyond the Vault: A Smarter Layer of Protection
“Security and risk management leaders should discover, secure and manage these secrets and whenever possible, switch to alternative ‘secretless’ mechanisms.”
Gartner
It’s time to evolve.
The goal is no longer just protecting secrets – it’s minimizing where they live, how long they persist, and how they’re used.
Security isn’t about where secrets live – it’s about who gets to use them, when, and under what context. By shifting from static secrets to dynamic, context-aware access, organizations can reduce risk, simplify controls, and build resilience across hybrid and multi-cloud environments – especially as AI agents and automation reshape the enterprise.
Have questions, thoughts,
or just curious?
We’d love to hear from you.
Talk to the Cyata team – whether you’re exploring a partnership, digging into our tech, or just want to chat about agentic identity.
Meet us live at the Cyata Booth at Black Hat USA
August 6-7, 2025 in Las Vegas – Booth 6316 in the Startup City
