A total of 14 common vulnerabilities and exposures (CVEs) spanning CyberArk’s Conjur and HashiCorp’s Vault enterprise secrets management platforms have been addressed and disclosed this week, after being discovered by researchers at Cyata, an emergent, Israel-based startup working in the field of agentic identity.
Taken as a whole, the critical issues demonstrated “complete compromise” of the secrets management systems that protect virtually every Fortune 500 organisation, said Cyata. The vulnerability set, comprising five issues in Conjur and nine in Vault, has likely been exploitable for several years and includes issues that enable remote code execution (RCE).
Cyata CEO and Check Point alumni Shahar Tal said the disclosures represented a worst-case scenario for enterprise security.
“When attackers can compromise the vault without any authentication, they literally gain the keys to the kingdom – access to every database, every API [application programming interface], every cloud resource across an entire organisation,” he said.
“In some cases, we achieved full vault compromise with just a single unauthenticated API request – no credentials, no friction.”
Notable among the Conjur vulnerabilities is a complete, unauthenticated RCE chain that arises from the service’s default Amazon Web Services (AWS) integration setup.
When attackers can compromise the vault without any authentication, they gain the keys to the kingdom – access to every database, every API, every cloud resource across an entire organisation Shahar Tal, Cyata
Exploiting it would enable an attacker to gain full system control without any valid credentials, tokens, or even a real AWS account.
The attack chain in question begins with an identity and access management (IAM) authentication bypass that redirects AWS security token service (STS) validation to a server controlled by an attacker.
This condition achieved, the attacker can impersonate any AWS identity they like without supplying a single credential, then escalate to create and control their own hosts to achieve remote code execution in a “seamless, start-to-finish” exploit chain in which every step uses default behaviour that doesn’t look out of place until it’s too late.
The exploit chain was reported to CyberArk on 23 May 2025 per the organisation’s disclosure policies, and the five CVEs in scope began to be issued on 19 June.
When trust can’t be trusted
The set of nine HashiCorp CVEs – which are classed as zero-days – enabled attackers, and include the first ever identified RCE vulnerability reported in Vault’s 10-year history, which stemmed from a flaw that appears to have been exploitable for almost as long.
Collectively, the vulnerabilities affected some of Vault’s most popular authentication methods, such as traditional usernames and passwords, Lightweight Directory Access Protocol (LDAP) and multifactor authentication (MFA).
Cyata’s researchers said the issues stemmed entirely from logic flaws and failures that, taken individually and together, create dangerous attack paths in real-world deployments where misconfigurations and excessive permissions can be widespread.
The RCE flaw, tracked as CVE-2025-6000, arises at the end of a chain, through which an attacker can create a malicious custom plugin.
If they can successfully achieve this goal and execute their attack, attackers can achieve persistent and low-visibility access to their victims’ environments. But more concerningly, they can turn Vault’s encryption mechanism upside down, changing it from a protective measure to a component in a ransomware extortion attack.
This is possible because Vault stores critical policies, secrets and tokens encrypted on disk, with a specific file needed for decryption. Should someone delete this file, however, Vault will permanently lose access to its encryption key, and even an administrator won’t be able to get it back, said Cyata.
As with CyberArk, the vulnerabilities were disclosed to HashiCorp in May, and the CVEs were issued on 12 June across open source and enterprise versions of Vault.
Tips for CISOs
Alongside Tal, Cyata lead researcher Yarden Porat demonstrated the findings at Black Hat USA this week, alongside the coordinated disclosure announcement. The firm has also set up a dedicated landing page where security practitioners can find more in-depth technical details, indicators of compromise (IoCs) and other useful tools.
In addition to approving and applying the patches from CyberArk and HashiCorp immediately, security teams should also take steps to review their vault access logs for any suspicious activity, work to identify potential compromises using the newly published detection tooling, and prepare incident response plans for the outlined scenarios, should they unfold.
It would also be wise to consider implementing more monitoring and access controls around vault systems, said Cyata.
