CVE-2025-6000
published 2025-08-01CVE-2025-6000: A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin…
PriorityP354critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
0.87%
54.4th percentile
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0.8.0 < 1.20.1 | 1.20.1 |
| github.com | openbao_openbao | >= 0 < 0.0.0-20250806194004-a14053c9679d | 0.0.0-20250806194004-a14053c9679d |
| github.com | openbao_openbao | >= 0.1.0 < 2.3.2 | 2.3.2 |
| hashicorp | vault | — | — |
| hashicorp | vault | >= 0.8.0 < 1.16.23 | 1.16.23 |
| hashicorp | vault | >= 0.8.0 < 1.20.1 | 1.20.1 |
| hashicorp | vault | >= 1.17.0 < 1.18.12 | 1.18.12 |
| hashicorp | vault | >= 1.19.0 < 1.19.7 | 1.19.7 |
| hashicorp | vault_enterprise | >= 0.8.0 < 1.20.1 | 1.20.1 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
ghsa9.1CRITICAL
osv9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration in github.com/hashicorp/vault
osv·2025-08-11
CVE-2025-6000 Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration in github.com/hashicorp/vault
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration in github.com/hashicorp/vault
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration in github.com/hashicorp/vault
GHSA
Privileged OpenBao Operator May Execute Code on the Underlying Host
ghsa·2025-08-08·CVSS 9.1
CVE-2025-54997 [CRITICAL] CWE-94 Privileged OpenBao Operator May Execute Code on the Underlying Host
Privileged OpenBao Operator May Execute Code on the Underlying Host
### Impact
Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the ability to update binaries or execute code on the system. Additionally, privileged API operators should be unable to perform TCP connections to arbitrary hosts in the environment OpenBao is executing within. The API-driven audit subsystem granted privileged API operators the ability to do both with an attacker-controlled log prefix. Access to these endpoints should be restricted.
### Patches
OpenBao v2.3.2 will patch this issue.
### Workarounds
Users may deny all access to the `sys/audit/*` interface (with `create` and `update`) permission via policies with explicit deny gra
OSV
Privileged OpenBao Operator May Execute Code on the Underlying Host
osv·2025-08-08·CVSS 9.1
CVE-2025-54997 [CRITICAL] Privileged OpenBao Operator May Execute Code on the Underlying Host
Privileged OpenBao Operator May Execute Code on the Underlying Host
### Impact
Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the ability to update binaries or execute code on the system. Additionally, privileged API operators should be unable to perform TCP connections to arbitrary hosts in the environment OpenBao is executing within. The API-driven audit subsystem granted privileged API operators the ability to do both with an attacker-controlled log prefix. Access to these endpoints should be restricted.
### Patches
OpenBao v2.3.2 will patch this issue.
### Workarounds
Users may deny all access to the `sys/audit/*` interface (with `create` and `update`) permission via policies with explicit deny gra
OSV
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
osv·2025-08-01
CVE-2025-6000 [CRITICAL] Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
GHSA
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
ghsa·2025-08-01
CVE-2025-6000 [CRITICAL] CWE-94 Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Red Hat
github.com/hashicorp/vault: Vault Plugin Code Execution Vulnerability
vendor_redhat·2025-08-01·CVSS 9.1
CVE-2025-6000 [CRITICAL] CWE-94 github.com/hashicorp/vault: Vault Plugin Code Execution Vulnerability
github.com/hashicorp/vault: Vault Plugin Code Execution Vulnerability
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
A flaw was found in github.com/hashicorp/vault. This vulnerability allows a privileged Vault operator with write access to the `sys/audit` endpoint to achieve code execution on the host system if a plugin directory is configured. This issue arises from the operator's ability to write malicious code into the plugin directory. Exploitation occurs through the execution of malicious plugin code, allowing an attacker to gain unauthor
No detection rules found.
Exploit-DB
atjiu pybbs 6.0.0 - Cross Site Scripting (XSS)
exploitdb·2025-08-11·CVSS 4.8
CVE-2025-8550 [MEDIUM] atjiu pybbs 6.0.0 - Cross Site Scripting (XSS)
atjiu pybbs 6.0.0 - Cross Site Scripting (XSS)
---
/*
* Exploit Title : atjiu pybbs 6.0.0 - Cross Site Scripting (XSS)
* Exploit Author: Byte Reaper
* Vendor Homepage: https://github.com/atjiu/pybbs
* Tested on: Kali Linux
* CVE: CVE-2025-8550
* ------------------------------------------------------------------------------------------------------------------------------------
*/
#include
#include
#include
#include
#include
#include "argparse.h"
#include
#include
#include
#include
#include
#define FULL_URL 3500
#define FULL_PAYLOAD_URL 9000
#define BUFFER_SIZE 6000
int selCookie = 0;
const char *cookies = NULL;
const char *baseurl = NULL;
const char *nameFileC= NULL;
int cookiesPayload = 0;
const char *ip = NULL;
int port = 0;
int verbose = 0;
int serchServer_alt()
{
printf("\e[0;35m==
Nuclei
Mitel 6000 - OS Command Injection
nuclei·CVSS 6.5
CVE-2025-47188 [MEDIUM] Mitel 6000 - OS Command Injection
Mitel 6000 - OS Command Injection
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. This template should be run on port 49249/tcp.
Template:
id: CVE-2025-47188
info:
name: Mitel 6000 - OS Command Injection
severity: critical
author: matejsmycka
description: |
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to conduct a command injection att
No writeups or analysis indexed.
2025-08-01
Published