プラットフォーム
go
コンポーネント
github.com/hashicorp/vault
修正版
1.20.1
1.20.1
1.20.1
CVE-2025-6000 describes a critical code execution vulnerability discovered in HashiCorp Vault. This flaw allows attackers to execute arbitrary code through manipulation of plugin configurations. The vulnerability impacts versions of Vault prior to 1.20.1, and a patch has been released to address the issue. Prompt patching is strongly recommended.
The impact of CVE-2025-6000 is severe. Successful exploitation allows an attacker to execute arbitrary code within the Vault environment, potentially gaining complete control over the system. This could lead to data breaches, unauthorized access to secrets, and complete compromise of the infrastructure relying on Vault for secure storage and management. The ability to execute code via plugin configuration significantly expands the attack surface, as malicious plugins could be crafted or existing plugins exploited to achieve this outcome. This vulnerability shares similarities with other plugin-related vulnerabilities where improper input validation leads to code execution.
CVE-2025-6000 was publicly disclosed on 2025-08-11. The vulnerability's severity is considered high due to the potential for remote code execution. Currently, there are no publicly available proof-of-concept exploits, but the ease of exploitation through plugin configuration suggests a medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Organizations heavily reliant on HashiCorp Vault for secrets management and those utilizing custom or third-party plugins are particularly at risk. Environments with lax plugin configuration controls or those lacking robust input validation are also vulnerable. Shared hosting environments where multiple users can potentially influence Vault configuration pose a heightened risk.
• go / server:
ps aux | grep vault | grep plugin• go / server:
journalctl -u vault -g "plugin configuration"• generic web: Check Vault's plugin configuration files for unusual or suspicious code. Review access logs for attempts to load unknown or unauthorized plugins.
disclosure
エクスプロイト状況
EPSS
0.09% (25% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-6000 is to upgrade to HashiCorp Vault version 1.20.1 or later. If immediate upgrading is not feasible, consider implementing strict input validation on plugin configurations to prevent malicious code injection. Review all existing plugins for potential vulnerabilities and disable any plugins that are not absolutely necessary. Implement network segmentation to limit the potential blast radius of a successful attack. After upgrading, verify the fix by attempting to load a known malicious plugin configuration and confirming that it is rejected.
Vault をバージョン 1.20.1 以降にアップデートしてください。直ちにアップデートできない場合は、{{sys/audit}} への書き込みアクセスを信頼できるオペレーターに制限することを検討してください。プラグインディレクトリの設定を確認し、信頼できるソースからのプラグインのみを使用していることを確認してください。脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-6000 is a critical vulnerability in HashiCorp Vault allowing attackers to execute arbitrary code through plugin configuration manipulation. It affects versions before 1.20.1.
If you are running HashiCorp Vault versions prior to 1.20.1, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade to HashiCorp Vault version 1.20.1 or later. Implement strict input validation on plugin configurations as an interim measure.
While no public exploits are currently available, the ease of exploitation suggests a potential for active exploitation. Monitoring is crucial.
Refer to the official HashiCorp security advisory on their website for detailed information and updates regarding CVE-2025-6000.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。