Nine Zero-Days in HashiCorp Vault: The Trust Model Broken
Cyata's research team uncovered nine previously unknown zero-day vulnerabilities in HashiCorp Vault, bypassing lockouts, evading policy checks, and enabling impersonation. One vulnerability allows root privilege escalation, and another—perhaps most concerning—leads to the first publicly reported remote code execution (RCE) in Vault, enabling complete system takeover. These flaws weren't memory corruption or race conditions, but subtle logic flaws buried in Vault's authentication, identity, and policy enforcement layers; some existed for nearly a decade. Researchers found them by meticulously examining Vault's core request flow, specifically the request_handling.go file. These vulnerabilities impact both open-source and enterprise Vault versions, allowing attackers to bypass multi-factor authentication (MFA), impersonate entities, and achieve RCE. The research highlights the potential impact of subtle logic flaws in software critical to infrastructure security.