07.08.2025
2 min
534
At the Black Hat USA 2025 conference, researchers revealed 14 critical 0-day vulnerabilities in two of the most popular secret storage systems, HashiCorp Vault and CyberArk Conjur. The vulnerabilities allowed for root access, bypass authentication, and execute arbitrary code without authorization.
A team of experts from Cyata discovered nine previously unknown vulnerabilities in HashiCorp Vault and five in CyberArk Conjur. Both platforms are widely used to manage the most valuable corporate data: tokens, passwords, certificates, encryption keys, and API keys. The vulnerabilities opened the way to a complete hack of “all the keys to the kingdom.”
The chain of attacks on Conjur turned out to be especially dangerous: the researchers used a fake AWS authentication, where a special character in the request (?) allowed the check to be directed to a malicious server. They also changed their role from “machine” to “policy,” which allowed them to escalate privileges. Another vulnerability is arbitrary code execution via Embedded Ruby (ERB) templates.
In the case of Vault, the vulnerabilities allowed MFA bypass, non-blocking brute force, escalation to root access, and code execution on the server. The most serious of them received CVSS 9.1. Both companies have already released patches, and users are advised to update immediately.
Secret managers like Vault and Conjur are the backbone of corporate security. But as the example from Black Hat shows, even the most secure systems remain vulnerable if they are not monitored. Cyata CEO Shahar Tal noted that compromising a vault is not just a leak, but a total disaster, after which all secrets in the organization will have to be changed.
Tal emphasizes that using vaults is only the first step, not a complete solution. Organizations should prepare for worst-case scenarios—have backup access schemes, multifactor authentication of user behavior, and “break the glass in case of an emergency” scenarios.
This incident is a stark warning: relying solely on vault is not enough. And while most of the vulnerabilities have been patched, the fact that they have existed for years in systems that should be flawless is a red flag. The next step should be to move to behavioral authorization models, where decisions are made not based on the fact of possession of a secret, but on the context and actions of the user. The future of cybersecurity is not in secrets, but in adaptive identity.
