by: Jairo J. Rodriguez U. – Senior Cyber Security Engineer

Two of the most trusted names in secrets management—CyberArk and HashiCorp—are patching critical flaws that could have allowed attackers to take control of secure vault systems without ever presenting valid credentials.

Both vendors disclosed the vulnerabilities after coordinated reports from independent researchers who demonstrated that carefully crafted network requests could bypass authentication, retrieve secrets, and potentially modify vault configurations.

How the Weakness Worked

While the attack paths differ between the two products, the pattern is alarmingly similar:

• Abuse of unauthenticated API endpoints that weren’t meant to expose sensitive functions.
• Logic flaws in request handling that allowed partial requests to be treated as authenticated sessions.
• Insufficient isolation of internal management services, letting external traffic reach them under certain network conditions.

In the case of CyberArk’s Privileged Access Security (PAS) Vault, an attacker could use a malformed request to trigger a session initiation sequence without supplying a valid token. Once the system issued a temporary session ID, it could be used to read or overwrite stored secrets.

For HashiCorp Vault, the vulnerable scenario involved specific configurations of the raft storage backend and performance standby nodes. Requests sent in a precise sequence could trick the standby into believing it was talking to an authenticated leader node, granting full access to vault data.

Why This Is Serious

Vault products are designed to be the last line of defense. They often store:

• Database credentials
• Cloud access keys
• SSH private keys
• API tokens for critical automation

If an attacker compromises a vault, they effectively inherit the trust and reach of every system those credentials unlock. In many environments, that means complete infrastructure compromise in minutes.

Who’s at Risk

• CyberArk PAS Vault deployments exposed directly to the network, especially without additional web application firewall rules.
• HashiCorp Vault instances with publicly reachable standby nodes or incorrectly segmented management networks.
• Any environment where vault traffic is not wrapped in mutual TLS or VPN isolation.

Fixes and Recommendations

Both vendors have released security updates:

• CyberArk: Apply the latest PAS Vault hotfix and ensure that all admin interfaces are isolated to internal-only networks.
• HashiCorp: Upgrade Vault to the patched version (latest LTS and stable releases) and review standby node exposure.

Immediate steps you should take:

1. Patch or upgrade to the fixed versions immediately.
2. Rotate all credentials and secrets stored in affected vaults.
3. Review firewall rules—restrict vault services to trusted IP ranges or VPN-only access.
4. Enable audit logging and look for unusual API calls or session initiations over the past 90 days.

Bigger Lesson

This incident reinforces that even the tools meant to protect secrets are not immune to vulnerabilities. Security teams often treat vault products as “set and forget” assets, but their high-value nature makes them prime targets for attackers. Regular patching, network isolation, and aggressive auditing are essential—not optional.

“Disclaimer: The views, opinions, and statements expressed in articles and content on this website are solely those of the author and do not reflect the official policy or position of GE Vernova, its affiliates, or its employees. This website is a personal project and is not endorsed by, affiliated with, or connected to GE Vernova in any formal or official capacity. All content is provided for informational and personal expression purposes only.”