Cybersecurity researchers have discovered more than 12 vulnerabilities in enterprise secure vaults from Cyberark and Hashicorp.
According to a report by Identity security company Cyata, 14 vulnerabilities, collectively named Vault Faults, affect Cyberark Secrets Manager, Self-Hosted, and Convisur Open Source and Hashicorp Vault. Following the responsible disclosure in May 2025, the defects are addressed in the following versions –
These include authentication bypassing, spoofing, privilege escalation bugs, code execution routes, and root token theft. The most serious problem allows remote code execution, allowing attackers to obtain safes under certain conditions without valid credentials –
CVE-2025-49827 (CVSS score: 9.1) – Bypassing IAM Authenticator for CyberArc Secret Manager CVE-2025-49831 (CVSS score: 9.1) – Bypassing IAM Authenticator for CyberArc Secret Manager via Incorrect Network Device: 8.6) Cyberark Secrets Manager CVE-2025-6000 (CVSS score: 9.1) – Arbitrary Remote Code Execution by Abuse of Hashicop Vault Plugin Catalog
Additionally, the vulnerability has also been discovered in Hashicope Vault lockout protection logic, designed to throttle brute force attempts, allowing attackers to take advantage of timing-based side channels to guess valid usernames and even reset the lockout counter by changing the case of known username cases (e.g., administrators).
Two other drawbacks identified by Israeli companies have made lockout enforcement weaker and multi-factor authentication (MFA) control when USERNAME_AS_ALIAS = TRUE and MFA enforcement applied at the entity or IdentityGroup level in an LDAP AUTH configuration.
The attack chain detailed by cybersecurity companies can leverage certificate entity spoofing issues (CVE-2025-6037) in CVE-2025-5999 and CVE-2025-6000 to break the authentication layer, escalate privileges, and achieve code execution. It is said that CVE-2025-6037 and CVE-2025-6000 have been around for more than 8 and 9 years, respectively.
Threat actors with this ability can further weaponize access to delete “Core/HSM/_Barrier-Unseal-Keys” files, effectively converting security features into ransomware vectors. Additionally, you can weaken the control group functionality to send HTTP requests without being audited, receive responses, and create stealth communication channels.
“This study shows how authentication, policy enforcement, and plugin execution can destroy everything through logic bugs without touching memory, causing crashes, or breaking ciphers.”
Similarly, vulnerabilities discovered in Cyberark Secrets Manager/Congur allow authentication bypassing, privilege escalation, information disclosure, and arbitrary code execution, effectively opening the door to a scenario where attackers can create exploit chains to obtain unauthorized access and execute arbitrary commands.
The attack sequence unfolds as follows:
IAM authentication bypassing a valid GetCallerIdentity Response that has a valid appearance authenticated as a policy resource by forging a valid GetCallerIdentity Response, which creates a new host that abuses the host factory endpoint and impersonates a valid policy template.
“This exploit chain has moved from recognised access to full remote code execution without providing passwords, tokens or AWS credentials,” Porat said.
This disclosure is based on detailed security flaws in Cisco Talos from Dell’s ControlVault3 firmware and related Windows APIs that could be abused by attackers to bypass Windows logins, extract encryption keys, and install new operating systems, but still maintain access after deploying undetectable malicious implants and installing them in the firmware.
Together, these vulnerabilities create a powerful remote post-compromise persistence method for hidden access to high-value environments. The identified vulnerabilities are:
CVE-2025-25050 (CVSS score: 8.8) – An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality that could lead to an out-of-bounds write CVE-2025-25215 (CVSS score: 8.8) – An arbitrary free vulnerability exists in the cv_close functionality that could lead to an arbitrary free CVE-2025-24922 (CVSS score: 8.8) – The SecureBio_Identify feature has a stack-based buffer overflow vulnerability in the SecureBio_Identify feature that can lead to arbitrary code execution (CVSS score: 8.4) – Reads CV_DBLOCKDATA vulnerability. CVE-2025-24919 (CVSS score: 8.1) – CVHDecapsulateCMD functionality that can lead to arbitrary code execution has a need to remove untrusted input vulnerabilities
The vulnerability is called the codename Revault. Over 100 models of Dell laptops running the Broadcom BCM5820X series chip will be affected. There is no evidence that the vulnerability is being exploited in the wild.
Cybersecurity companies also point out that local attackers with physical access to their users’ laptops can pry it open and access a unified security hub (USH) board, allowing attackers to exploit any of the five vulnerabilities without logging in or owning a full disk encryption password.
“Revault Attack can be used as a post-conflict persistence technology that can remain for the entire Windows reinstall,” said Philippe Laulheret, a researcher at Cisco Talos. “Revault attacks can also be used as a physical compromise for local users to bypass Windows logins or gain administrative/system privileges.”
To mitigate the risks posed by these defects, users are encouraged to apply the fixes provided by Dell. If you disable the ControlVault service and do not use peripherals such as fingerprint readers, smart card readers, or near field communication (NFC) readers. Turn off fingerprint login in high-risk situations.
Source link
