New Security Vulnerabilities Discovered in CyberVault Systems

Cybersecurity experts have recently uncovered a significant set of vulnerabilities in enterprise secure vault technologies developed by CyberArk and HashiCorp, raising alarms across the industry. Identified as "Vault Fault," these vulnerabilities pose a serious risk that, if exploited, could enable remote attackers to infiltrate corporate identity systems and extract sensitive enterprise data, including secrets and tokens.

Overview of Vulnerabilities

A total of 14 vulnerabilities have been pinpointed in key products like CyberArk Secrets Manager, Self-Hosted Vault, Conjur Open Source, and HashiCorp Vault. According to a report from the identity security firm Cyata, these issues have been addressed in updates released after a responsible disclosure in May 2025.

Severity and Types of Flaws

The vulnerabilities range from authentication bypass and privilege escalation errors to severe remote code execution threats. Notably, the most critical issues allow attackers to obtain unauthorized access to vaults under specific conditions, even without valid credentials. Key vulnerabilities include:

• CVE-2025-49827 (CVSS score: 9.1): Bypassing the IAM authenticator in CyberArk Secrets Manager.
• CVE-2025-49828 (CVSS score: 8.6): Enabling remote code execution in CyberArk Secrets Manager.
• CVE-2025-6000 (CVSS score: 9.1): Arbitrary remote code execution through plugin catalog manipulation in HashiCorp Vault.
• CVE-2025-5999 (CVSS score: 7.2): Privilege escalation vulnerability that could elevate user rights in HashiCorp Vault.

Additionally, flaws related to lockout protection logic in HashiCorp Vault could allow attackers to bypass brute-force protection mechanisms, thereby revealing valid usernames and resetting lockout counters through simple case changes.

Exploit Chain Analysis

The attack vectors can involve manipulating legitimate components to bypass security protocols. For instance, a combination of the attack vectors identified in CVE-2025-6037, CVE-2025-5999, and CVE-2025-6000 can lead to breaking the authentication layer, escalating privileges, and ultimately executing unauthorized code. These vulnerabilities have reportedly existed in the system for over eight years, significantly heightening the risk to organizations reliant on these technologies.

Potential for Ransomware Attacks

Once an attacker gains access through these vulnerabilities, they could potentially delete critical files, transforming security measures into vectors for ransomware attacks. Furthermore, features such as the Control Group could be exploited to send and receive HTTP requests undetected, effectively creating covert communication channels.

security researcher Yarden Porat remarked on the implications of these vulnerabilities, noting how they could compromise authentication and policy enforcement without tripping traditional security mechanisms like memory corruption or cryptographic failures.

Additional Vulnerabilities in CyberArk Systems

CyberArk’s Secrets Manager and Conjur are also susceptible to various attack methods, enabling attackers to gain unauthenticated access and execute arbitrary commands seamlessly. This exploit chain involves:

1. Forging responses to IAM authentication requests.
2. Authenticating as a policy resource.
3. Abusing endpoints to create impersonated hosts with malicious payloads.
4. Triggering the execution of these payloads through policy commands.

Porat emphasized that this method allows attackers to escalate from no credentials to full remote code execution without ever needing a token or password.

Recent Vulnerabilities in Dell ControlVault

In a related development, Cisco Talos highlighted security concerns in Dell’s ControlVault3 Firmware, where vulnerabilities could potentially let attackers bypass Windows login processes and extract cryptographic keys. More importantly, they could maintain access even after an OS reinstall, allowing undetectable malware to persist on the hardware.

The identified vulnerabilities in Dell’s systems include:

• CVE-2025-25050 (CVSS score: 8.8): Out-of-bounds write vulnerability.
• CVE-2025-25215 (CVSS score: 8.8): Arbitrary free vulnerability leading to code execution.

These flaws create opportunities for attackers to implement persistent access methods, even compromising physical systems if a local attacker gains physical access to the device.

Mitigation Strategies

To address these vulnerabilities, organizations are advised to apply any relevant security patches promptly and implement strategies such as disabling unused ControlVault services. For those employing fingerprint login systems, turning off this feature in high-risk scenarios is also crucial to minimize potential exposure to such threats.

As cyber threats continue to evolve, understanding and addressing identified vulnerabilities remains vital to safeguarding enterprise environments.